cio.com 


IDG')  4l 

•  net 

MAY  15,  2003  •  $9.00 


THE  RESOURCE  FOR  INFORMATION  EXECUTIVES 


The  Sarbanes-Oxley  Act 

Why  CIOs  Must  Play  a  Leading 
Role  to  Ensure  Compliance 

Page  70 

Product  Lifecycle 
Management 

How  It  Works,  Where  It  Works 
and  Why  Companies  Are 
Investing  in  It 


SOFTWARE  TUI  F 
SECURITY  I  rlL 

BUGS 

STOP 


What  CIOs  Can  Do  To 
Guarantee  Secure  Software 


Page  92 

Pain-Free  CRM 

A  Case  Study: 

Blue  Cross  of  Minnesota 
Puts  Its  Back  End  Online  for 
Competitive  Advantage 

Page  79 


Schrageon  Utility 
Computing— the 
Hidden  Costs 

Page  50 


Wallington  on 

Why  Leaders  Must 
Learn  to  Follow 

Page  44 


Page  60 


CUNA  Mutual  VP  of  IT 
Bob  Ferderer  insists  that 
any  new  software  he  < 
must  first  go  through 
error-free  scan. 


d'ivi  corporation.  Mi}  r  ignis  resefveq. 


Remember  the 
of  supply  and  demand? 


Well,  demand  won 


Not  everyone  sees  it,  but  something  is  happening. 

A  fundamental  shift.  An  evolution  in  how  the  best-run  companies  allocate  resources, 
structure  processes  and  costs,  and  interact  with  partners,  employees  and  customers. 

Look  around  and  you  can  see  why:  market  fluctuations  are  getting  harder  to  predict, 
forecasting  can’t  be  counted  on,  customers  are  becoming  more  empowered,  more  impatient, 
more  demanding.  This  is  a  new  world  of  business. 

This  is  the  world  of  on  demand  business. 

Some  are  seeing  it  clearly.  Some  are  accepting  uncertainty,  learning  to  adapt  and  thrive, 
finding  ways  to  cope,  even  ways  to  accelerate.  Regardless  of  economic  climate. 

At  its  most  basic  level,  on  demand  business  is  about  spending  less  time  trying  to  guess 
what  might  happen  in  the  future  and  more  time  developing  ways  to  find  out  earlier  and  react 
faster  to  what’s  really  happening  right  now. 

Companies  that  embrace  on  demand  thinking  become  on  demand  businesses  -  responsive 
organizations  with  tightly  integrated  supply  chains  that  can  react  in  unison  and  in  real  time  to 
anything  from  unique  customer  demands  to  downstream  logistics  to  pricing  volatility. 

How?  By  turning  fixed  costs  into  variable  costs.  By  focusing  on  core  competencies  and 


creating  a  tight  network  of  integrated  partners  and  specialists  to  handle  everything  else. 

How  do  you  begin  the  transformation  to  on  demand  business? 

By  asking  the  right  questions.  Where  are  the  weak  points  in  my  business  model?  Where 
am  I  at  a  disadvantage?  Is  the  issue  cost  structure?  Or  efficiency?  Or  entrenched  behavior? 
Which  processes  need  automating,  flattening,  re-engineering  or  outsourcing? 

How  do  I  increase  yield  right  now,  get  more  from  what  I  already  have?  How  do  I  make  the 
cultural  changes  that  make  transformations  stick? 

At  IBM,  we’re  answering  these  kinds  of  questions  every  day  -  working  with  hundreds  of 
companies  of  all  sizes  to  help  them  make  the  transformation. 

We’re  bringing  to  the  table  a  unique  combination  of  industry  experience,  business  insight 
and  executional  know-how.  Building  deep  client  relationships  that  generate  increasing  value 
over  time.  Initiating  the  kind  of  innovative  business  thinking  and  follow-through  that  drive  a 
new  standard  of  productivity,  efficiency  and  bottom-line  gains. 

In  short,  delivering  the  results  of  on  demand  business. 

So  talk  to  us.  Let  IBM  help  you  see  the  potential  and  pragmatism  of  on  demand  business 
in  your  company.  On  demand  business.  Get  there  with  (e)  business  on  demand™ 


An  automaker  in  Detroit  sells  a  car.  Then 
builds  the  car.  Can  you  see  it? 


A  supermarket  has  no  stockroom.  But 
always  has  lime  soda.  Can  you  see  it? 


A  bank  cuts  credit  checking  time.  But 
gives  more  credit.  Can  you  see  it? 


A  snowstorm  closes  a  distribution  hub. 
Distribution  is  unaffected.  Can  you  see  it? 


ibm.com/ondemand 


Sure,  if  you’re  in  a  hot  spot,  then  Wi-Fi  can 


give  you  wireless  access.  But  what  about  the 
millions  of  places  where  it  can’t?  Fortunately, 
the  one  spot  where  you  can  find  all  the 
answers  is  on  our  website.  We’ll  show  you 


CDMA2000:  HOT  FROM  SEA  TO  SHINING  SEA. 

how  CDMA2000  gives  you  always-on  remote 
access  in  a  protected  environment  at  speeds 
faster  than  dial-up.  Best  of  all,  CDMA2000 
delivers  anywhere  that  your  wireless  carrier 
has  coverage,  across  the  entire  country.  Plus, 
you  won’t  have  to  fill  up  on  double  lattes 
while  accessing  your  network.  To  learn  more, 
visit  us  at  www.qualcomm.com/enterprise. 


Qualcomm 


p  oratic  v  Allf  ghts?  servt  tf.Mii  osof!  Viso  i$! 
,bi  d/oto  Her  e  Hjr.tru  s.  Tlv  naw*  soff  tuat  ooii 


.ViV,  If*...  sfj” 


iff'  .  z  i  f  :7  \\B  / 

7  /■-  mh  -I .Li'  / v  / 

'  >  ,  "  f  /] '  rN  M.:  f  /  X 

/■;. 1  / ,  ^ — r - ^ — crX - - ~yr3F~ — ' 

Introducing  Microsoft  Windows  Server  2003.  Do  more  with  less. 

You’re  being  asked  to  do  more.  You’re  being  asked  to  do  it  with  less.  Microsoft  '  Windows"  Server  2003  is 
designed  to  help  you  manage  these  opposing  forces  and  deliver  powerful  software  solutions  with  less  time, 
money,  and  hassle.  For  more  information,  and  to  get  your  free  evaluation  copy  of  Windows  Server  2003 
by  July  31,  2003,  go  to  microsoft.com/windowsserver2003  Software  for  the  Agile  Business. 

1 

%  The  London  Stock  Exchange,  with  the  help  of  Accenture,  selected  Windows  Server  2003  as  the  foundation  for 
their  real-time ,  business-critical,  market  information  delivery  system.  Using  Visual  Studio  .NET  and  the  Microsoft 
5j|  .NET  Framework,  this  innovative  new  system  was  developed  in  less  than  eight  months  from  conception  to  production 
^  and  now  serves  100,000  terminals  worldwide  with  up  to  3,000  transactions  per  second. 


Larger  projects,  higher  goals,  greater  responsibility, 


emarks  of  Microsoft  Corporation 
larks  of  their  respective  owners. 


— 


pwiPH 

-  '\£y'  ^,,/Vv 


BBS  §  1 1 

1 

.^P^sIskP 


..?  v  •:••■ 


'v’v.?  ;.‘ 

.  '.v  ::  l--:  >2 


Fewer  resources,  tighter  timelines,  shrinking  budgets. 


n 


I  1 

Hr. 


'  w  . 


t  -  „  %  //  *  * 


I  / 


t'm 

n  S 

Microsoft 

Windows  Server  2003 


VOL.  16  •  NO.  15  •  MAY  15,  2003 


Cover  Story 

APPLICATION  SECURITY  I  60 

THE  BUGS 
STOP  HERE 

Don’t  blame  Microsoft.  Don’t  blame  the  hackers. 
Blame  yourself  for  insecure  software.  Better  yet, 
stop  blaming  and  start  moving  toward  operational 
excellence.  By  Scott  Berinato 


COVER  PHOTO  BY  KEVIN  MIYAZAKI 


Bob  Ferderer,  VP  of  IT  internal  operations  and  security  at  CUNA  Mutual 
Group,  is  frustrated  by  the  “relationship  between  individuals  not  taking 
action  and  how  [viruses  and  other  vulnerabilities]  spread  out  of  control.” 


Features 

PLAYING  BY  NEW  RULES  I  SARBANES-OXLEY 
Your  Risks  and  Responsibilities  I  70 

You  may  think  the  Sarbanes-Oxley  legislation  has  nothing  to 
do  with  you.  You’d  be  wrong.  By  Ben  Wortben 


The  biggest  challenge  of 
PLM  projects  is  getting 
stakeholders  to  agree  on 
common  business  processes, 
says  Susan  Kampe,  VP  of  IT 
for  the  Automotive  Systems 
Group  of  Johnson  Controls. 
“These  are  gut-level 
changes,"  she  says. 


CASE  FILES  I  CUSTOMER  CONNECTIONS 
Pain-Free  CRM  I  79 

By  taking  the  time  to  integrate  data  for  its  online  CRM  system, 
a  regional  health  plan  has  succeeded  where  other  large  insurers 
have  stumbled.  By  Meridith  Levinson 

Q&A  I  MARCO  IANSITI 

Integration  the  Right  Way,  the  Wrong  Way  I  84 

Harvard’s  Marco  Iansiti,  who  has  studied  the  technology 
strategies  of  nearly  100  companies,  says:  Keep  your  integration 
expertise  in-house. 

PRODUCT  LIFECYCLE  MANAGEMENT 
There’s  a  New  App  in  Town  I  92 

PLM  aims  to  streamline  product  development  and  boost  innova¬ 
tion  in  manufacturing.  But  it  won’t  be  easy  or  cheap.  Here’s  what 
CIOs  need  to  do  about  this  latest  buzzword  technology. 

By  Beth  Stackpole 

MORE  ►  ►► 


6 


CIO  MAY  15,  2003  •  www. cio.com 


U&Jfe!  : 


serve  Backup 


.y?  sfea-y-ite 

*mm  data 


Job  $tat u* 

aJIou*  you  to  monitor  tba  job* 
and  chock  tho  log*. 

todatt  Mtnior 

Configure  and  submit  backup 
Job*. 

EadatiliMag 

Perform  complete  date 
recovery. 

Media  Pool 

Create  media  pools  for  your 
media  backups. 

Pivitt  Etonian 

Ailovs  you  to  manage  your 
storage  device*.  <¥ 


-i~- 


It's  so  far  forward,  it's  a  shame  to  call  it  backup. 

Apparently  the  word  is  out  everywhere.  BrightStor™  ARCserve®  Backup  is  among  the  most  reliable  and  widely  used 
backup  solutions  in  the  world.  In  fact,  hundreds  of  thousands  of  people  rely  on  BrightStor  ARCserve  Backup 
technology  to  protect  their  critical  servers.  Now  we've  created  BrightStor™  ARCserve®  Backup  v9,  the  most  advanced 
version  ever.  As  part  of  the  BrightStor™  line  of  storage  management  solutions,  BrightStor  ARCserve  Backup  v9  is  amazingly  powerful  yet 
one  of  the  simplest  to  use  and  easiest  to  install  solutions  out  there.  In  fact,  most  users  can  perform  their  first  backup  within  20  minutes 
of  start-up.  And  that  means  it's  the  perfect  backup  software  choice  for,  well,  just  about  everyone.  ca.com/brightstor/arcserve9 


ARCserve  v9 
is  here 


Window*  2000  Advanced  Sarvr 


BrightStor™  ARCserve®  Backup 


Computer  Associates® 


Novell 


©  2002  Computer  Associates  International.  Inc.  (CA).  All  rights  reserved. 


Introducing  a 
Business  Intelligence 
Breakthrough  of 
Enterprise  Proportions. 


BusinessObjects  Enterprise  6. 


iis  is  a  breakthrough.  And  a  big  one.  BusinessObjects  Enterprise  6  is,  very  simply, 
the  new  benchmark  for  enterprise  business  intelligence. 

It's  a  complete  suite  of  integrated  business  intelligence  software  designed  to  meet 
the  needs  of  all  your  users.  It  provides  the  industry's  best  web  query,  reporting, 
and  analysis  capabilities.  The  most  complete  and  advanced  suite  of  analytic 
applications.  The  best  packaged  application  connectivity.  And  end-to-end 
product  integration.  The  bottom  line?  Enterprise  6  enables  your  organization 
to  track,  understand,  and  manage  enterprise  performance  better  than  ever 
before.  Better  than  with  any  competing  product.  Or  combination  of  products. 
More  than  17,000  companies  around  the  world  rely  on  award-winning 
Business  Objects  business  intelligence  software  to  unlock  the  power  of 
information  to  improve  enterprise  performance. 

To  view  our  interactive  product  demonstration  or  to  reserve  a  place  at  our 
seminar  series,  visit  www.businessobjects.com/e6.  Or  call  us  at  1-800-527-0580. 
And  experience  the  breakthrough  power  of  BusinessObjects  Enterprise  6,  today. 


BusinessObjects 


Columns 

TOTAL  LEADERSHIP 
After  You!  I  44 

Why  leaders  should  hone  followership 
skills.  By  Patricia  Wallington 

MAKING  I.T.  WORK 

The  Voodoo  Economics  Behind 

Utility  Computing  I  50 

Before  you  sign  up  for  pay-as-you-go, 
you  need  to  understand  how  utilities 
can  manipulate  and  hide  the  true  costs 
of  plugging  in.  By  Michael  Schrage 


EMERGING  TECHNOLOGY  I 

Putting  IT  on 
the  Map 

As  GIS  tools  and  data  sources  become  more 
sophisticated  and  affordable,  they’re  helping 
more  companies  and  governments  under¬ 
stand  precisely  where  their  trucks,  workers 
and  resources  are,  where  they  need  to  go  to 
serve  a  customer — and  the  best  way  to  get 
from  here  to  there.  By  Alice  Dragoon 


REAL  VALUE 
Tough  Decisions  I  54 

IT  project  selection  has  many  pitfalls.  Get 
it  wrong  and  your  IT  portfolio  can  become 
a  nightmare.  Here  are  some  warning 
signs  and  solutions  to  help  you  improve 
your  process.  By  Jack  Keen 

REALITY  BYTES 
Buyer  Beware  I  100 

This  little  surfer  went  to  market.  This  little 
surfer  went  home.  By  Megan  Santosus 

SOUND  OFF 

Would  You  License  Your 

Processes  to  Others?  I  104 

The  process  licensing  game  is  growing  in 
popularity.  But  who  will  win? 

By  Art  Jahnke 

CAREER  COUNSEL 

When  You’ve  Just  Had  It  I  110 

What  to  do  when  the  job  didn’t  turn  out 
as  expected. 


Sections 

TRENDLINES  I  28 

What’s  in  a  face?;  Reality  unlike  TV;  In 
search  of  Columbia.  And  more 

OFF  THE  SHELF  I  32 

Nanotech — fact  and  fiction:  Nanocosm 
and  Prey ;  The  New  Bookshelf;  CIO 
Best-Sellers 

WASHINGTON  WATCH  I  38 

Foreign  worker  quota  set  to  drop 
amid  backlash. 

EMERGING  TECHNOLOGY  I  114 

Geographic  information  systems  make 
their  way  into  daily  operations. 

By  Alice  Dragoon 

UNDER  DEVELOPMENT  I  120 

A  new  low-loss  optical  fiber  can  conduct 
an  intense  stream  of  laser  light  that  would 
melt  an  ordinary  fiber. 

TECH  TACT  I  122 

New  products  and  current  trends  are 
making  real-time  a  reality. 


In  Every  Issue 

FROM  THE  EDITOR 

The  Buck  Stops  Where?  I  16 

New  pressures  and  new  responsibilities  for 
CIOs.  By  Abbie  Lundberg 

INBOX  I  20 

Reader  feedback 

INDEX  I  126 

EXECUTIVE  SUMMARY  I  128 

Abstracts  of  all  the  feature  stories  found 
in  this  issue. 


10  CIO  MAY  15,  2003  •  www.c'io.com 


EMULEX 

We  network  storage 


)6+.10  ELX48.17+.44  EMC  1 9.97  +.1 3  H1T 77^+.04 

3E boo i o i on  1 1 161 0 We  network SYbftAtE lOOiOiOt OOWOoi 1 101  Ow'i  JflTi  _ 

jFTTwoRKSTORAGEnoinoio;o',””','iC30oanioion  /  JF 

1010111111  WE  NETWORK  STORAGE10101 11 11010100101010000  /  * 
iOOWf  WE  NETWORK  STORAGEOOI 11010101 11111 


_ 

HPQ  - 

24.1  2j<U2% 


TO®  dO  WE  NETWORK  STORAGE  000 1 01 01 1 1 1 1 0 1 0  WE  NETWORK  STOR 
;TOW\GE1 01 01*  1 1 01 01 OOWE  NETWORK  STORAGEOO1 1 1 01 01 01 1 1 1 1 1  oc 
AfE  NETWORK  STORAGEOO1 1 1010101 1 1 1 1 1  WE  NETWORK  STORAGE101C 
^AGEIOTOTtmOIOIOWOlOIOOOOWE  WE  NETWORK . . 


\GE001 11010 


+.12  LSI  18.60 +.08  NEC  11.05 +.039  UIS  1 


Emulex  technology  is  used 


ymmlmnh 

by  9  of  the  top  1 0  server  & 

data  storage 


providers  and 


Fortune  1000 


data  centers. 


Emulex  storage  networking  connectivity  products  enable  the  world's  leading 
server  and  storage  providers  to  deliver  data  center  solutions  that  ensure  high 
availability  access,  business  continuance,  and  lower  total  cost  of  ownership. 


Bear  Wagner 


ELX 


Bear  Wagner  is  proud  to  represent 
Emulex  on  the  New  York  Stock  Exchange.  NYSE 


LISTED 


03-170 


www.emulex.com 


NYSE:  ELX 


800  EMULEX! 


WHY  NOT  CUT  COSTS 
WITHOUT  CUTTING 
CORNERS? 


It’s  simple,  really:  When  you  buy  commodity  hardware,  you  get  commodity 
features.  So  why  not  get  premium  features  for  the  same  price?  With  a  line 
of  powerful  servers  starting  at  just  $995,  Sun  proves  once  again  that  you 
can  lower  costs  and  complexity  without  compromising  quality. 


Sun  has  an  entire  family  of  servers  built  to  deliver  enterprise-level  performance 
and  reliability  at  highly  competitive  prices.  Which  means  that  for  the  cost  of 
an  alarmingly  mediocre  Wintel  box,  you  can  get  an  ultra-reliable  Sun  server 
ready  to  take  on  your  most  mission-critical  tasks.  From  CRM  applications  to 
e-mail  and  Web  serving.  With  this  kind  of  bang  for  the  buck,  it’s  no  wonder 
Sun  has  remained  the  UNIX®  server  leader  every  year  since  1998* 


So  go  ahead  and  ask  yourself:  Is  your  business  a  commodity  business?  Do 
you  aspire  to  deliver  parity  products  that  deliver  parity  returns?  Why  not  use 
Sun  servers  to  break  away  from  the  pack  once  and  for  all? 


To  find  out  more  about  how  Sun  servers  can  deliver 
state-of-the-art  technology  at  state-of-the-economy  prices, 


microsystems 


visit  SUN.COM/WHYNOT 


We  make  the  net  work. 


SUIT  LX50  A  powerful  entry-level 

x86  server  that  runs  Sun  Linux  or 
Solaris™  Operating  Environment.  It's  fully 
supported  by  Sun  and  priced  at  $2,795. 


Mia 


SUN  FIRE  V480  A  winning  SPARC®/ 

Solaris  server  that  delivers  the  horsepower 
to  run  e-commerce,  OLTP,  supply  chain 
and  database  management  applications. 


•Source:  I  DC's  Worldwide  Quarterly  Server  Tracker,  February  2003.  Based  on  revenue  and  shipment  growth,  CY2002,  all  OSs. 

©2003  Sun  Microsystems,  Inc.  All  rights  reserved.  Sun,  Sun  Microsystems,  the  Sun  logo,  Sun  Fire,  Solaris  and  Sun  StorEdge  are  trademarks  or  registered  trademarks  of  Sun  Microsystems,  Inc.  in  the  United  States  and  other  countries. 
All  SPARC  trademarks  are  used  under  license  and  are  trademarks  or  registered  trademarks  of  SPARC  International,  Inc.  in  the  United  States  and  other  countries.  Products  bearing  SPARC  trademarks  are  based  on  an  architecture 
developed  by  Sun  Microsystems,  Inc.  UNIX  is  a  registered  trademark  in  the  United  States  and  other  countries,  exclusively  licensed  through  X/ Open  Company,  Ltd. 


SUN  FIRE ™  V12S0  Enterprise-class  features 

and  aggressive  price  points,  so  you  can  lower 
the  cost  of  reliability. 


II 


SUN  STOREDGE™  3510  sun  s  new 

Fibre  Channel  Array  with  enterprise-class 
features.  It’s  the  ideal  companion  to 
Sun’s  entry-level  and  workgroup  servers. 


SUN  FIRE  V880  Sun's  best-selling 

server  for  departments  or  data  centers. 
With  more  standard  features,  there  are 
no  hidden  costs  and  no  surprises. 


Interactive  features  from  May  15  to  May  31 


ASK  THE  SOURCE 

Talk  to  Stuart  Scott 

CIO  Stuart  Scott  orchestrated  a  whole¬ 
sale  campaign  to  sell  GE  Industrial  Sys¬ 
tems  on  product  lifecycle  management 
(see  There’s  a  New  App  in  Town, 

Page  92)  through  e-mails  and  a  webcast 
And  it  worked.  For  the  next  two  weeks, 
Scott  will  answer  your  questions— and 
hear  your  advice— on  getting  the  com¬ 
pany  to  buy  in.  Go  to  www.cio.com/ask. 


GE  Industrial  Systems  CIO  Stuart  Scott 


Our  Daily  Web 

MONDAY  Tech  Tact 

Technology  Editor  Christopher 
Lindquist  covers  what’s  coming. 

TUESDAY  Alarmed 

Security  experts  Sarah  D.  Scalet 
and  Scott  Berinato  give  you 
something  new  to  worry  about. 

WEDNESDAY  Metrics 

Web  Writer  Jon  Surmacz  makes 
sense  of  the  numbers. 

THURSDAY  Sound  Off 

Web  Editorial  Director  Art  Jahnke 
opines  on  managerial,  political  and 
ethical  dilemmas. 

FRIDAY  The  Big  Picture 

Charts  and  graphs  that  are  worth  a 
thousand  words. 


ADD  A  COMMENT 


Is  utility  computing  destined  to  be  just  another 
deregulated  beast? 


That’s  the  question  Michael  Schrage  asks  in  this  issue’s  Making  IT 
Work  column,  The  Voodoo  Economics  Behind  Utility  Comput¬ 
ing  (Page  50).  Some  embrace  information  utilities  as  a  way 
to  access  data  and  transactions  much  like  water  and 
electricity,  but  Schrage  says  we’d  be  creating  a  regulated 
monopoly.  Tell  him  what  you  think.  To  Add  a  Comment, 
go  to  the  online  version  of  the  column  from  the  Search 
box  on  the  CIO.com  homepage. 

Find  links  to  the  stories  mentioned  above  in  the 

WEB  CONNECTIONS  box  at  www.cio.com. 


g|  r  |  Editor’s  Pick:  Just  Ask 

If  the  stories  and  other  features  on  CIO.com  don’t  tell  you  what  you  need  to 
know,  there’s  another  way  to  find  out.  Just  ask. 

/  Ask  the  Author  invites  you  to  send  questions  to  authors  of  the  latest  books 

about  business  and  IT.  Ask  the  Expert  puts  you  in  touch  with  those  in-the- 
know  on  specific  technologies  and  business  strategies.  Ask  the  Source  lets 
you  put  questions  to  CIOs  whose  IT  implementations  are  reported  in  CIO.  Now,  all  of  your 
questions  can  be  answered  from  one  easy-to-use  page. 

Go  to  www.cio.com/ask.  -Art  Jahnke,  Web  Editorial  Director 


Peer  Resources 
from  CIO9 s  Sister 
Publications 

■  GIS  is  becoming  mainstream 
(see  Emerging  Technology:  Putting 
IT  on  the  Map,  Page  114).  But  with 
that  popular¬ 
ity  comes 
security  head¬ 
aches.  Go  to 
www.cso 
online.com 
and  type 
“GIS” in  the 
Search  box  to  find  what  CISO  Kevin 
Dickey  has  to  say. 

■  By  now,  you  know  the  impact  of 
the  Sarbanes-Oxley  Act  (see  story 
on  Page  70).  But  do  your  nontech¬ 
nology  colleagues  get  it  yet?  Send 
them  to  read  Get  on  Board  at 
www.  da  rwinmag.  com . 


14  CIO  MAY  15,  2003 


www.cio.com 


The  Application  Server 

with  Built  In  Business  Intelligence 


Business 

Intelligence 


Content 

Management 


Application 

Integration 


Application 

Server 


Web  Services 


Wireless 


Portal 


Java  J2EE 


All  the  Middleware  you  need 
integrated  into  one  Application  Server 


oracle.com/theappserver 
or  call  1.800.633.0546 


Copyright  ©2002,  Oracle.  All  rights  reserved.  Oracle  is  a  registered  trademark  of  Oracle  Corporation  and/or  its  affiliates. 


From  the  Editor 

lundberg@cio.com 


We’ve  always  valued  your 
opinion.  And  now  we’ve 
made  it  easier  for  you  to  give 
it:  All  online  features  and 
columns  now  include  an 
ADD  A  COMMENT  box  for 
your  opinions.  So,  the  buck 
stops  where?  You  tell  us. 


The  Buck 
Stops  Where? 


IF  I  HAD  A  NICKEL  FOR  EVERY  TIME  I  TALKED 

about  the  changing  role  of  the  CIO. ..well,  I’d  have 
a  lot  of  nickels.  The  cascading  impact  of  technology 
change  on  business  operations,  governance  models 
and  roles  just  keeps  on  coming,  like  waves  march¬ 
ing  up  the  beach  after  a  storm. 

This  seems  to  be  a  particularly  intense  period  of 
change,  thanks  to  the  triple-threat  pressures  of  the 
grim  economy,  accounting  scandals  and  increased 
concern  over  security  risks. 

In  this  issue,  we  look  at  two  new  areas  of  CIO 
accountability:  the  need  to  eradicate  security  flaws 
in  software  and  the  mandate  to  ensure  that  corpo¬ 
rate  accounting  data  stands  up  to  audit  scrutiny 
under  the  Sarbanes-Oxley  Act. 

Software  bugs  are  nothing  new,  and  CIOs  have 
long  lamented  their  number  and  nastiness.  There 
are  reasons  why  vendors  churn  out  buggy  soft¬ 
ware,  and  some  of  those  will  never  go  away.  So 
are  CIOs  doomed  to  live  with  software  riddled 
with  security  holes? 

Absolutely  not,  writes  Senior  Editor  Scott 
Berinato  in  “The  Bugs  Stop  Here”  on  Page  60. 
First  of  all,  between  the  current  buyer’s-market 
conditions  and  the  heightened  focus  on  security  in 
general,  there’s  never  been  a  better  time  to  exert 
greater  pressure  on  vendors  to  write  cleaner,  more 
secure  code. 


But  even  without  that  leverage,  CIOs  are  not 
without  recourse.  Got  a  bug  problem  in  your  shop? 
New  tools  and  processes  can  help  you  find  and 
eliminate  them.  There’s  really  no  excuse  not  to. 

Many  CIOs  see  this  as  a  natural  part  of  their 
job.  “Security  is  really  about  operational  excel¬ 
lence,”  says  A1  Schmidt,  vice  president  of  IT  and 
CIO  at  Arch  Chemicals.  “That’s  what  I’m  sup¬ 
posed  to  be  doing,  right?” 

But  what  about  ensuring  the  accuracy  of  finan¬ 
cial  data?  Is  that  also  something  CIOs  are  supposed 
to  be  doing? 

Yes  and  no.  Clearly  the  CFO  and  audit  com¬ 
mittee  have  a  central  role  to  play.  But  given  that 
most  financial  systems  are  complex  enterprise 
beasts,  linked  into  (and  drawing  data  from)  other 
systems,  the  finance  and  audit  teams  can’t  go  it 
alone.  In  most  companies,  it’s  not  the  CFO  who’s 
going  to  make  systems  capable  of  real-time 
disclosure  of  material  changes  (which,  by  the  way, 
is  something  that  will  need  to  be  done).  To  find 
out  more  about  the  implications  of  the  Sarbanes- 
Oxley  Act,  turn  to  Page  70. 

These  current  pressures  add  a  few  more  “bucks” 
to  the  long  list  of  things  that  stop  with  the  CIO.  So 
find  out  all  you  can  about  what’s  required  and, 
together  with  your  colleagues  (or  vendors),  develop 
a  plan  to  meet  those  new  obligations. 


1  6 


CIO 


MAY  15.  2003 


www.cio.com 


PHOTO  BY  JASON  GROW/SABA 


-  'y  ■  -  v'-. 

I  M 


mm 


-  *&SV  /  «  a  ;  f  wR  / v  s>  w  v  .-  -,  _  '.  v 

In  supply  chain  management,  aiming  at  your  issues  precisely 
greater  than  just  swinging  away. 


is 


Any  company  s  supply  chain  can  have  a  weak  link  or  two  along  the  way.  But  a  complete  software  overhaul 
means  breaking  the  bank  just  to  deliver  a  few  impactful  efficiencies. 


A  " 


J.D.  Edwards  Supply  Chain  Management  Software  allows  you  to  isolate  solutions  the  same  way  you  isolate 
problems.  Our  modular  approach  lets  you  utilize  as  much  or  as  little  of  our  flexible  software  as  you  need, 


and  delivers  quick  results  across  your  entire  enterprise,  from  forecast  to  delivery.  Plus,  our  open  architecture 
works  with  your  legacy  systems.  Instead  of  selling  you  the  entire  dartboard,  SCM  from  J.D.  Edwards  offers  you 


just  the  bull’s-eye — and  hits  a  low  total  cost  of  ownership  in  the  bargain. 


Investigate  our  SCM  white  paper  series  by  calling  1-800-701-0952, 
or  visit  www.jdedwards.com/dart  now. 


“1 


Making  important  decisions  is  your  job.  Delivering  the  insight  to  help  you  make  smarter  decisions  is  ours.  We  are 
Microsoft  Business  Solutions.  With  business  applications  and  services  from  financial  management  to  customer 


wseg&asg  'Ji 

Steens  ^ 

v  »*  •• 

.  - 

•  /  tr?~  ■  ~ 

'  -  :  V  % 

fe 

*  % 

■  w 

'i  , 

_ 

relationship  management,  we  have  the  experience  and  resources  to  help  you  succeed  in  an  ever-changing 
business  world.  To  learn  more,  visit  microsoft.com/BusinessSolutions/lnsight  Software  for  the  Agile  Business. 


Microsoft 

Business 

Solutions 


rvice  Management 


InBox 

Reader  Feedback 


OFFSHORE  SOFTWARE  DEVELOPMENT:  SECURITY  VS.  XENOPHOBIA 

Editor’s  note:  We  were  inundated  with  responses  to  Publisher  Gary  Beach’s  March  1  column, 
“Offshore  Costs.  ”  Here  are  excerpts  from  a  few  of  them. 

Your  column  shows  your  callous  and  complete  ignorance  of  software  development  practices. 
All  the  companies  that  you  mentioned  in  the  article  follow  strict  software  quality  practices, 
whether  the  software  development  is  done  on  U.S.  or  on  non-U.S.  soil.  The  software  developed 
by  these  companies  goes  through  a  series  of  functional,  integration,  regression  and  beta  testing 
before  it  is  released,  which  makes  it  very  hard  for  a  malicious  piece  of  code  to  be  injected  and 
remain  undetected  in  the  public  release  of  the  product. 

Your  column  not  only  lacks  the  technical  maturity  that  is  expected  from  a  technical  magazine, 
but  it  also  exposes  a  xenophobic  tendency  on  your  part,  and  shows  your  ignorance  on  global 
economics.  You  say  “American  software.”  Can  you  define  “American  software”? 

Ashish  Ray  •  ashisbray@yahoo.com 


Why  would  we  put  the  heart  of  our 
business  systems  in  the  hands  of  peo¬ 
ple  who  have  no  patriotic  loyalty  to 
the  United  States?  Our  enemies  are 
probably  drooling  at  the  prospect  of 
being  able  to  buy  this  information  at  a 
very  cheap  price  and  then  use  it  to  dis¬ 
rupt  our  economy  even  more  than  the 
terrorist  attacks  did. 

Richard  K.  Malcolm 

Carolina  Tractor  &  Equipment 
rmalcolm@carolinatractor.  com 

Let’s  not  forget  that  the  Sept.  1 1  terror¬ 
ists  learned  how  to  fly  on  U.S.  soil.  Bor¬ 
ders  will  not  stop  industrial  espionage. 
Do  we  need  to  continue  to  build  safe¬ 
guards  that  protect  users  of  critical  sys¬ 
tems?  Absolutely.  Will  forcing  critical 
systems  to  all  be  built  domestically 
resolve  this?  Absolutely  not. 

Nate  Lentz 

President  and  CEO,  Verticalnet 
nlentz@verticalnet.  com 

I  agree  with  you  100  percent.  The  devel¬ 
opment  of  technologies  offshore  is  a 
serious  security  problem.  The  one  key 
factor,  as  you  have  mentioned,  is  the 


decreasing  number  of  graduates 
the  United  States  produces  in  the  sci¬ 
ences.  The  end  result  of  poor  math  and 
science  curricula  is  coming  home  to  roost. 

Paul  R.  Shosho 
New  School  University 
shoshop@newschool.edu 


Your  argument  is  perplexing  to  me 
because  it  assumes  that  “bad  guys”  (as 
you  call  them),  who  may  have  a  vendetta 
against  American  software,  are  only 
located  offshore.  Have  you  considered 
that  there  may  be  an  equal  threat  right 
here  within  our  borders? 

Joseph  King 

Vice  President,  MindTree  Consulting 
josephk@mindtreeconsulting.com 


We  have  tens  of  thousands  of  IT  work¬ 
ers  being  laid  off  here  in  this  country.  I 
disagree  with  you  that  the  solution  is  to 
improve  our  math  and  science  curricula 
to  solve  this  problem.  We  have  plenty  of 
highly  qualified  people.  They  are  just 
seen  as  too  expensive. 

We  will  see  how  expensive  things 
really  are  once  the  corporate  code  is 
infiltrated,  subverted  and  sabotaged. 

John  Tullis 
President,  Iron  Citadel 


r"'I 


Publisher  Gary  Beach  responds: 
First,  I  want  to  make  a  public 
apology  to  the  talented  men 
and  women  who  work  for 
Indian  software  develop¬ 
ment  companies  in  Banga¬ 
lore,  India.  My  column 
unfairly  singled  out  this 
city,  its  companies 
and  its  workers - — that 


was  wrong . 

I  wrote  the  column  based  on  con¬ 
versations  I  had  with  CIOs  who 
expressed  fear  of  potential  code  cor¬ 
ruption — either  in  commercial  or  cus¬ 
tom  applications  developed  here  in 
America  or  anywhere  else  in  the  world. 
I  am  not  now,  nor  was  I  then,  in  pos¬ 
session  of  evidence  that  shows  the  sce¬ 
narios  I  describe  in  the  column  actually 
happened. 


WHAT  DO  YOU  THINK? 

Send  your  thoughts  and  feedback 
to  letters@cio.com.  Letters  may  be 
edited  for  length  or  clarity.  For  a 
link  to  the  article  mentioned,  go  to 
www.cio.com/printlinks. 


20  CIO  MAY  15,  2003  •  www.cio.com 


•/.  , -  a  ■  •;  -  ••  ••  ■ , 


. . Lv 


: '  ■  $$$  ■■ 

■  -iV*.  •’  •  V/  ;  ‘  i  •"  .  .  ^ 


*«  . . 


£•*  >**'*  ‘  j^SeiSfcs  -mZ  "  mm:  p 


RESERVED 

FOR 

PRESIDENT 


■  »  ^  ,  -j 


RESERVED 

FOR 

JACK 

WHO  SAVED 
THE 

COMPANY 
$500,000 
A  YEAR  BY 
ELIMINATE 
OVERNIGHT 
DELIVERY 


RESERVED 

FOR 


CEO 


fanvware*  The  downside:  your  walk  through  the  parking  lot  was  long.  The  upside:  it  gave  you  time 
to  think  about  a  way  to  eliminate  the  high  cost  and  hassles  of  overnight  delivery. 

And  lo  and  behold,  you  found  it:  Canon  imageRUNNER®  technology.  It  lets  you  send  documents  anywhere,  in  any  form,  at  any  time, 
over  your  network  or  the  Internet.  Instantaneously.  Just  scan  a  document  into  the  imageRUNNER  and  send  it  -  to  desktops,  E-mail 
addresses,  fax  machines,  databases  and  file  servers.  All  of  which  results  in  lowered  costs  and  increased  productivity.  So,  take  pride. 
Thanks  to  Canon  know-how,  your  walk  through  the  parking  lot  is  considerably  shorter.  1 -866-25-CANON  www.imagerunner.com 


Canon  is  a  registered  trademark  and  Canon  Know  How  is  a  trademark  of  Canon  Inc.  IMAGERUNNER  is  a  registered  trademark  of  Canon  Inc.  in  the  U.S.  and  Canada.  IMAGEANYWARE  is  a  service  mark  of  Canon  U.SA.  Inc.  ©2003  Canon  U.S.A..  Inc. 


Canon  KNOW  HOW 


THERE 

MAY  BE  A  BIGGER 
INTEGRATION  SOFT 

OUT  THERE 
SOMEWHERE. 


TIBCO  Software  has  made  real-time  business  and  integration  a  reality  for  more  than 
easily-deployed  solutions.  To  discover  why  TIBCO  continues  to  be  chosen  over  all 


INDEPENDENT 


WARE  PROVIDER 


BUT  UNTIL  SCIENTISTS  MAKE  CONTACT, 

WE  PROUDLY  OFFER  THE  SERVICES  OF  THE  EARTH’S  LARGEST. 


2,000  leading  companies.  The  reasons?  Our  proven,  comprehensive  and 
the  integration  providers  out  there,  call  800-420-8450  or  visit  www.tibco.com. 


B8TIBC0 

The  Power  of  Now™ 


The  Resource  for  Information  Executives 


President  Walter  Manninen 
Publisher  Gary  J.  Beach 

Editorial  Director  Lew  McCreary 

EDITORIAL 

Editor  in  Chief  Abbie  Lundberg 
Deputy  Editor  Richard  Pastore 
Managing  Editor  David  Rosenbaum 
Managing  Editor,  Production  Cheryl  R.  Asselin 

Executive  Editors  Alison  Bass,  Michael  Goldberg, 
Christopher  Koch  (Investigations) 

Leadership  and  Management  Editor  Edward  Prewitt, 
Opinion  and  Knowledge  Management  Editor  Megan 
Santosus,  Research  Editor  Lorraine  Cosgrove  Ware, 
Special  Projects  Editor  Mindy  Blodgett,  Technology 

Editor  Christopher  Lindquist 

Senior  Editors  Scott  Berinato,  Todd  Datz, 

Alice  Dragoon,  Elana  Varon  (B2B  E-Commerce) 

Features  Editor  Late  Low 

Senior  Writers  Meridith  Levinson  (B2C  E-Commerce), 
Stephanie  Overby,  Sarah  D.  Scalet  (Security  and  Privacy) 

Staff  Writer  Ben  Worthen 
Copy  Chief  Tom  Wailgum 

Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 

Copy  Editors  Kelli  A.  Gauthier  (Assoc.), 

Emily  S.  Henderson,  Sarah  Johnson  (Assoc.) 

Special  Projects  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistants  Daniel  J.  Horgan,  Joe  Sullivan 
Consulting  Editor  Janice  Brand 
Editor  at  Large  Jerry  Gregoire 

Contributors  John  Edwards,  Jack  Keen,  Beverly 
Lieberman,  Juan  Carlos  Perez,  Michael  Schrage,  Beth 
Stackpole,  Patricia  Wallington 

Editorial  Operations  Specialist  Julie  Hanson 


How  to  Reach  Us 

E-mail  letters@cio.com 
Phone  508  872-0080 
Fax  508  879-7784 

Address  CIO  Magazine,  CXO  Media  Inc., 

492  Old  Connecticut  Path,  P.0.  Box  9208, 

Framingham,  MA  01701-9208 

Website  www.cio.com 

Topic  Experts  www.cio.com/online_beats2.html 

Subscriber  Services  866  354-1125,  Fax  847  564-9453, 
E-mail  cio@omeda.com 

Rights  and  Permission  Andrew  Burrell  •  508  935-4785, 
E-mail  aburrell@cxo.com 


DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Directors  Hana  Barker,  Terri  Haas,  Lisa  Munroe 
Associate  Art  Director  Owen  Edwards 
Senior  Designer  George  Lee 
Designers  Kaajal  S.  Asher,  Alberto  Capolino 
Design  Operations  Specialist  Rachel  Barnett 

ONLINE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Web  Editorial  Director  Art  Jahnke 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

Director,  CIO  Best  Practice  Exchange  Martha  Heller 
Senior  Editor,  CIO  Best  Practice  Exchange  Sari  Kalin 
Operations  Asst.,  CIO  Best  Practice  Exchange  Lisa  Byron 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Director  of  Online  Research  Kathleen  Kotwica 
Audience  Development  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 

CIRCULATION 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescara 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator  Lisa  Stevenson 

EXECUTIVE  PROGRAMS 

EP  Senior  Vice  President  Jennifer  Richards 

Conference  Management  Vice  President  Cynthia  Mollus 

Marketing  Services  Director  Shellie  Rapson  James 

Business  Development  VP  John  Amato 

Program  Operations  Manager  Brian  Fuce 

Marketing  Manager  Glede  Kabongo 

Marketing  Services  Coordinator  Andrea  Slobogan 

Event  Development  Specialist  Sandra  J.  Hughey 

Operations  Coordinator  Michael  Barbato 

Event  Planning  Manager  Amy  Turell 

Senior  Customer  Services  Coordinator  Sarah  Yee 


MARKETING 

Executive  VP/Marketing  Cathy  O'Leary  Hayes 
VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Associate  Lori  Piscatelli 
Marketing  Research  Director  Bridget  Cammarata 
Marketing  Research  Manager  Carolyn  Johnson 
Sr.  Marketing  Research  Analyst  Dylan  DiGregorio 
Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist  Kari  Curto 
Marketing  Comm.  Associate  Sarah  Crowley 

ADMINISTRATION 

Manager  of  Finance  Margarita  Chiango 
Finance  and  Operations  Analyst  Chris  Bernardi 
Executive  Assistant  to  the  President  Diane  Martin 
Billing  Administrator  Joyce  Gillis 
Facilities  Specialist  John  Kelley 
Office  Services  Coordinator  Mary  E.  Wooldridge 

INFORMATION  SYSTEMS 

Infrastructure  Manager  James  C.  Burgoyne 
User  Services  Manager  Ron  Bettencourt 
Senior  User  Services  Specialist  Michael  Fahlsing 
System  Administrator  Robert  Reagan 
Senior  User  Services  Specialist  Jonathan  Frappier 

HUMAN  RESOURCES 

Human  Resources  Vice  President  Patricia  Chisholm 
Human  Resources  Manager  Tanya  Bureau 
Human  Resources  Representative  Beth  S.  Ramistella 

FOUNDER 

Joseph  L.  Levy 


INTERNATIONAL  DATA  GROUP 

CEO  Pat  Kenealy 

Board  Chairman  Patrick  J.  McGovern 

WBPA 

▼  INTERNATIONAL* 

©  CXO  Media  Inc. 


2  4  CIO  MAY  15,  2003 


www.cto.com 


Any  system  can  store  data. 

You  need  to  store  content. 


5A 


CSMSERIES 

PETASlTE®  SYSTEMS 


Training  video  is  content.  Seismic  studies  are  content. 

And  so  are  CAT  scan  images,  PDF  files,  audio  clips  and 
presentations.  According  to  the  analysts,  an  avalanche  of 
content  is  about  to  land  on  top  of  your  data  center.  Are  you 
ready?  With  a  Sony  PetaSite®  data  tape  library,  you  will  be. 

Sony's  PetaSite  libraries  extend  beyond  terabytes  into 
petabytes— to  keep  abreast  of  your  growing  storage 
needs.  SAIT  PetaSite  libraries  leverage  the  world's  high¬ 
est  capacity  data  cartridge*— SAIT— to  achieve  the  highest  storage  density.  So  you 
save  precious  data  center  space.  SAIT  also  offers  the  lowest  tape  cost  per 
gigabyte.**  So  you  save  money.  Or  choose  Sony's  DTF-2  PetaSite  libraries,  which 
have  lightning-fast  loading  and  file  access.  So  you  also  save  time. 

Sony  PetaSite  libraries  are  ideal  for  backup,  archiving  and  Hierarchical  Storage 
Management.  Sony  PetaBack®  and  PetaServe®  solutions  give  you  even  greater  flexibility. 

Sony  PetaSite  libraries.  The  Work  Smart  solution  for  storing  content. 


Work  Smart.  Work  Sony. 


Source:  Storage  Analytics'  Tape  Format  Facts,  1/24/03 

**Media  comparison  based  on  MSRPs  of  SAIT,  LTO,  AIT-3  and  SDLT  mid-range  formats  as  featured  in  CDW,  1/23/03 


VISIT  WWW.SONY.COM/DATASYSTEMS  OR  CALL  800-829-7669  FOR 
MORE  INFORMATION  ON  SONY'S  PETASITE  SOLUTIONS. 


PetaSite 


TAPEDRIVES 


SERVE 


BACK 


©  2003  Sony  Electronics  Inc.  AU  rights  reserved.  Reproduction  in  whole  or  in  part  without  written  permission  is  prohibited.  Features  and  specifications  are  subject  to  change  without  notice.  Sony.  PetaBack.  PetaServe  and  PetaSite  are  trademarks  of  Sony. 


With  Jim  Demetriades 


SeeBeyond  CEO  Explains  Why 
Everything  You  Knew  About  EAI 
Has  Just  Changed 


You’re  now  saying  ‘Everything  you  know 
about  enterprise  integration  has  just 
changed.’  How  exactly  has  EAI  evolved 
over  the  last  several  years? 

EAI  began  as  a  way  to  integrate  one  appli¬ 
cation  with  another,  enabling  data  integra¬ 
tion  and  synchronization.  It  then  evolved 
to  include  business-to-business  integration 
and  business  process  integration,  allowing 
companies  to  design  and  manage  multi- 
step  business  processes.  This  was  certainly 
an  advance  over  the  “spaghetti”  approach 
of  point-to-point  interfaces,  and  has  deliv¬ 
ered  a  lot  of  business  value  by  automating 
manual  processes  and  machine-to- 
machine  interactions. 

However,  this  broader  definition  of  EAI 
still  falls  short.  Achieving  the  vision  of  the 
real-time  enterprise  is  not  simply  a  matter 
of  automating  business  processes  between 
systems,  but  also  seamlessly  inserting 
human  interaction  into  the  processes  to 
handle  exceptions.  The  true  complexity  of 
business  processes,  and  the  highest  value, 
comes  from  handling  exceptions  well,  and 
to  end-users  should  be  undistinguishable 
from  other  enterprise  applications.  What 
businesses  need  is  a  way  to  quickly  assem¬ 
ble  and  deliver  new  enterprise-scale,  end- 
user  applications  built  by  assembling  exist¬ 
ing  business  systems  and  functionality  in 
new  ways.  This  is  where  our  latest  offering, 
the  SeeBeyond  Integrated  Composite 
Application  Network  (ICAN)  Suite  5.0, 
comes  into  play. 

Considering  that  integration  costs  are  a 
significant  part  of  software  installations, 
do  you  see  application  development  and 
integration  coming  together?  If  so,  how? 

Absolutely.  Today,  the  IT  infrastructure 
of  most  organizations  has  grown  into  a 
morass  of  disjointed  systems.  Tradition¬ 
ally,  application  development  and  integra¬ 
tion  have  been  completely  disparate  func¬ 
tions.  The  advent  of  the  integrated 
composite  application  network  changes  all 
that.  It  builds  upon  the  foundations  of 


both  application  development  and  inte¬ 
gration,  adding  the  benefit  of  human 
brainpower  in  building  composite  applica¬ 
tions.  Automation  is  extended  to  encom¬ 
pass  human  touch,  allowing  people  and 
systems  to  interact  synergistically  and  give 
business  users  a  deep  new  look  into  their 
organization  and  its  ecosystem. 

This  new  network  is  really  a  framework 
for  creating  new,  enterprise  applications 
from  existing  ones.  This  framework  is  now 
possible  thanks  to  the  convergence  of  several 
technology  and  business  trends,  including: 

•  the  sufficient  maturation  of  EAI; 

•  the  commoditization  of  application 
servers; 

•  the  adoption  and  maturation  of  open  stan¬ 
dards,  including  those  for  Web  services; 

•  the  widespread  acceptance  of  portal 
functionality; 

•  and  the  demand  from  customers  that 
vendors  solve  business  problems  cost- 
effectively,  preferably  by  leveraging 
existing  IT  assets. 

What  is  SeeBeyond’s  technology  strategy 
for  addressing  this  problem? 

Our  ICAN  Suite  5.0  provides  the  archi¬ 
tecture  and  tools  that,  for  the  first  time, 
enable  organizations  to  create  new  end- 
user  applications  assembled  using  existing 
business  logic,  functionality,  and  human 
intelligence  from  anywhere  in  an  organiza¬ 
tion’s  ecosystem.  The  prospective  business 
benefits  are  profound:  The  features  and 
capabilities  of  ICAN  5.0  hold  the  promise 
of  significantly  reducing  product  cycle 
times  and  the  cost  of  ongoing  mainte¬ 
nance,  while  greatly  improving  productivi¬ 
ty  through  unprecedented  ease-of-use  and 
support  for  open  standards. 

We  believe  that  the  ICAN  Suite  5.0 
fulfills  the  long-awaited  promise  of  mid¬ 
dleware.  It  also  is  the  latest  milestone  of 
SeeBeyond’s  1 4-year  vision  of  helping  cus¬ 
tomers  manage  the  flow  of  information 
across  all  systems,  applications  and  enter¬ 
prises  on  a  global  basis. 


Advertising  Supplement 

What  is  SeeBeyond’s  competitive  advan¬ 
tage  in  this  space? 

First  and  foremost,  we  have  the  most  open 
and  comprehensive  set  of  integration  tools 
available  in  our  new  ICAN  Suite  5.0.  We 
have  an  installed  base  of  more  than  1,800 
customers  including  leading  Global  2000 
companies;  a  1 4-year  history  of  success; 
and  a  product  suite  written  by  a  team 
whose  senior  members  have  been  together 
for  more  than  a  decade.  SeeBeyond 
knows  what  eBusiness  and  application 
integration  can  do  today,  and  what  it 
must  do  in  the  future. 

As  a  company,  we  have  been  an  inno¬ 
vation  leader  since  the  birth  of  the  applica¬ 
tion  integration  industry.  We  introduced 
the  first  commercially  available  integration 
broker  in  1991;  the  first  fully-distributed 
integration  architecture  in  1999;  and  now, 
with  the  ICAN  5.0,  the  first  business  inte¬ 
gration  platform  built  on  an  open  frame¬ 
work,  including  a  J2EE-compliant  inte¬ 
gration  server  with  the  first  composite 
application  generator  based  on  an  open, 
services-oriented  architecture. 

“SeeBeyond  knows  what 
eBusiness  and  application 
integration  can  do  today,  and 
what  it  must  do  in  the  future.” 

In  business  terms,  the  goal  is  to  give 
managers  a  clear  idea  of  what’s  happening 
across  their  organizations,  and  the  flexibility 
to  improve  whatever  needs  to  be  improved. 

Any  final  words  of  wisdom  for  CIOs  when  it 
comes  to  making  an  integration  project 
succeed? 

Today,  enterprise  software  equals  business 
strategy.  That  means  CIOs  should  be  look¬ 
ing  for  solutions  that  possess  the  same 
attributes  as  good  business  strategy — name¬ 
ly  flexibility,  responsiveness,  and  cost-effec¬ 
tiveness.  In  the  integration  market,  CIOs 
should  seek  vendors  who  understand  that 
and  who  offer  solutions  that  allow  IT  orga¬ 
nizations  to  reach  across  the  traditional  bar¬ 
riers  of  application  development  and  inte¬ 
gration.  Ideally,  this  will  enable  CIOs  to 
create  their  future  on  the  success  of  their 
past,  without  investing  in  a  lot  of  new, 
expensive  and  hard-to-use  technology. 

SeeBeyond® 


jggp 


Introducing  the  Integrated  Composite  Application  Network  (ICAN)  Suite  5.0 

from  SeeBeyond.  ICAN  provides  unprecedented  support  for  open  standards  such  as 
J2EE  and  Web  services.  And  it  is  a  comprehensive  platform  that  lets  you  quickly  create 
new  end-user  business  applications  by  assembling  business  logic  and  functionality 
from  the  information  systems  you  already  have.  With  ICAN  5.0,  your  IT  strategy  can 
finally  keep  up  with  your  business  strategy.  To  find  out  how,  contact  us  TODAY. 

Call  1-800-425-0541  or  visit  www.seebeyond.com/ican 


.. 


SeeBeyond 


©1993-2003  SeeBeyond  Technology  Corporation.  All  fights  reser/ed 


BIOMETRICS 

What’s  In 
a  Face? 

SHORTLY  AFTER  the  start  of  the  war  in  Iraq 
on  March  19,  Saddam  Hussein  appeared  on 
state  television.  Or  did  he?  The  bespectacled, 
uniformed  speaker  looked  like  the  Iraqi 
leader,  but  also  different  enough  for  many  to 
speculate  that  it  was  a  stand-in  for  the  real 
Hussein,  who  may  have  been  injured  or 
killed.  Enter  biometrics,  which  for  the  first 
few  days  of  the  war  proved  an  instrumen¬ 
tal — and  limited — tool  for  U.S.  intelligence. 

Face  recognition  tests  indicated  the  per¬ 
son  on  TV  was  likely  to  be  Hussein  (voice 
tests  were  more  definitive).  Face  recogni¬ 
tion  had  also  been  used  impressively  weeks 
before  this  to  positively  identify  top  al- 
Qaida  operative  Khalid  Sheikh  Mo¬ 
hammed  after  his  capture  on  March  1.  The 
identification  came  despite  the  fact  that, 
disheveled  and  unshaven,  Mohammed 
looked  markedly  different  than  he  had  in 


FACIAL  PROFILING 

SOME  OF  THE  WAYS  FACIAL  RECOGNITION 
TECHNOLOGY  MEASURES  FOR  A  MATCH 
BETWEEN  TWO  PHOTOS: 

■  Shape,  size  of  upper  outlines  of  eye  sockets 

■  Geometry  of  the  cheekbone  area 

■  Shape,  size  of  sides  of  the  mouth 

■  Distance  between  eyes 

■  Length,  shape  of  nose 

■  "Eigenface"  technology  that  uses  the  whole 
face  by  slicing  it  into  hundreds  of  gray-scale 
layers,  each  with  distinctive  features 


previous  photos.  (Both  U.S.  officials  and 
enterprising  vendors  made  the  match.) 

Those  were  just  recent  examples.  A  steep 
uptick  in  the  buzz  around  biometrics 
started  after  Sept.  11  and  the  subse¬ 
quent  passing  of  the  USA  Patriot  Act, 
which  mandates  the  eventual  use  of 
biometrics  by  U.S.  authorities  at  the 
Canadian  and  Mexican  borders. 

Since  then,  the  government  has 
been  testing  the  technology  fervently, 
focusing  on  fingerprint  ED  and  face 
recognition.  And  biometric  advocates 
have  seized  the  opportunity.  “If  I  were 
a  CIO,  I’d  simply  count  the  number 
of  phone  calls  from  users  who  forgot 
their  passwords,”  says  Alan  Samuels, 
a  self-employed  biometric  consultant 


in  Elizaville,  N.Y.,  who  helped  a  network 
news  program  run  a  face  recognition  test 
between  the  Hussein  video  and  file  footage. 
“That  alone  can  sell  the  technology,”  he  adds. 

So  why  hasn’t  it?  Part  of  the  reason  bio¬ 
metrics  remains  a  niche  field  is  because  the 
still-improving  technology  has  been  over¬ 
sold.  A  General  Accounting  Office  report  in 
November  2002  raised  concerns  about  pri¬ 
vacy  and  cost.  The  GAO  estimated  that 
securing  the  nation  using  biometric  systems 
would  take  up  to  $3  billion  in  capital  invest¬ 
ment  and  as  much  as  $1.5  billion  annually 
after  that.  “Biometrics  is  not  a  panacea,” 
the  GAO  report  said  in  reference  to  its  use 
along  the  nation’s  borders. 

Took  no  further  than  face  recognition. 
Good  systems  identify  90  percent  of  matches 

Continued  on  Page  30 


2  8  CIO  MAY  15,  2003 


www.cio.com 


ILLUSTRATION  BY  MARTIN  O’NEILL 


THERE’S  AN  EASY  WAY  TO  INTEGRATE 


THREE  SOLUTIONS  FROM  THREE  COMPANIES 


FOR  STARTERS,  ELIMINATE  TWO  COMPANIES 


A  single  source  for  HR,  payroll,  and  labor  management  solutions  is  a  smart  business  decision.  And  that  source  is  Kronos.  Our  best- 
of-breed  products  are  designed  to  work  together,  so  you’re  able  to  implement  solutions  quickly  and  correctly- the  first  time.  Like 
our  40.000  satisfied  customers,  you’ll  receive  training  and  professional  services  from  a  proven  partner  with  award-winning  support. 


And  if  there  are  ever  any  questions,  they  can  be  answered  with  just  one  phone  call.  To  learn  more,  visit  kronos.com  or  call  800-225-1561. 


m  KRONOS 


©  2003  Kronos  Incorporated.  Kronos  and  the  Kronos  logo  are  registered  trademarks  of  Kronos  Incorporated  or  a  related  company.  All  rights  reserved. 


trendlines 


Face  Tests 

Continued  from  Page  28 

with  a  1  percent  false  positive,  according  to 
a  study  by  the  National  Institute  of  Stan¬ 
dards  and  Technology  (NIST)  released  in 
March.  However,  that’s  for  a  100-face  data¬ 
base,  or  gallery.  With  37,000  faces  in  the 
gallery,  accuracy  swoons  to  73  percent.  (Fin¬ 
gerprint  systems  do  better:  86  percent  match 
with  a  gallery  size  of  100,000.  But  NIST  says 
that  for  national  security  purposes,  where  a 
database  will  house  millions  of  fingerprints, 
one-finger  ID  isn’t  likely  to  fly:  The  match 
rate  will  be  too  low,  and  it’s  harder  to 
acquire  fingerprints  than  it  is  faces.) 

What’s  more,  the  NIST  face-verification 
tests  were  done  under  ideal  conditions,  with 
lots  of  light  and  the  subject  looking  straight 
at  the  camera.  (Accuracy  deviates  pre¬ 
dictably  as  the  head  turns  away  from  a 
straight-on  pose.)  Outdoors,  match  rates 
collapsed  to  47  percent  in  the  best  systems. 
Samuels  cited  an  amusement  park  that 
wanted  to  use  biometrics,  but  the  park 
would  have  had  to  completely  reconstruct 
its  entrances  to  control  the  lighting  condi¬ 
tions  well  enough  to  have  a  high  match 
rate.  The  park  owners  scrapped  the  idea. 

Now,  CIOs  don’t  need  to  achieve  border 
security  accuracy  levels.  But  still,  there’s  a  pre¬ 
conception  that  biometrics  is  better  than  pre¬ 
dictable,  easily  compromised  passwords  or 
swipe  cards  because  it  can  prove,  irrefutably, 
that  a  face  is  a  face.  That  is  misleading. 

The  technology  is  developing,  says  Sam¬ 
uels,  who  believes  that  biometrics  is  too 
compelling  to  remain  in  the  background 
for  long.  “But,  in  all  cases,  biometrics  is 
still  about  probability.  There’s  no  foolproof 
system,”  Samuels  says.  -Scott  Berinato 


n 


BIOMETRICS 


Reality  Unlike  TV 


AT  THE  WINTER  Biometrics  Summit, 
chuckling  starts  when  a  TV  clip  shows 
cops  using  facial  recognition  technol¬ 
ogy  to  identify  a  suspect.  During  a 
high-speed  chase.  From  a  helicopter. 
Laughter  erupts  when  the  camera  cuts 
to  a  computer  screen  returning  a  hit  on 
the  image  and  an  officer  exclaims, 

‘TOO  percent  confirmation!” 

To  attendees  at  the  Miami  Beach 
event,  an  otherwise  serious-minded 
group,  the  clip  is  ridiculous.  They  note 
that  biometrics— the  use  of  IT  to 
identify  people  using  fingerprints, 
voice,  face  and  hand  geometry— has 
its  limitations.  (The  applications 
aren’t  100  percent  accurate,  for 
starters.  And  technology  standards 
and  concerns  about  privacy  also  are 
potential  limitations.)  Nevertheless, 
two  presenters  at  the  event  demon¬ 
strate  real-life  systems. 

The  Pinellas  County,  Fla.,  Sheriff’s 
Office,  which  covers  St.  Petersburg, 
employs  facial  recognition  when 
booking  suspects.  When  a  suspect  is 
brought  in  for  booking,  a  camera  takes 
several  digital  pictures  of  him.  The 
camera  operator  chooses  the  best 
picture,  and  the  system  compares  it 
with  the  almost  500,000  digital 
images  stored  in  the  agency’s  mug 
shots  database.  In  seconds,  the 
svstem  returns  the  50  Dictures  that 


most  resemble  the  subject. 

The  system  (funded  by  $3.5  million 
in  federal  grants  in  2001  and  2002) 
recently  helped  to  identify  a  person 
who  was  in  the  database  under  four 
different  names,  says  Scott  McCallum, 
a  systems  analyst  at  the  sheriff’s 
office.  Agency  employees  use  their 
PCs  to  access  the  Viisage  Technology 
facial  recognition  system;  images  are 
stored  in  an  Oracle  9i  database. 

El  Salvador’s  new  ID  cards  use 
fingerprint  authentication.  The  system 
has  reduced  fraud  in  the  process  of 
issuing  citizen  ID  cards  and  by  compil¬ 
ing  citizen  information  in  a  central 
database,  and  helped  government 
agencies  identify  people  living  and 
dead,  says  Felix  Safie,  president  of  the 
government’s  Natural  Persons  National 
Register.  To  issue  an  ID  card,  the 
government  collects  two  fingerprints,  a 
digital  signature  and  takes  a  photo  of 
the  person.  It  takes  30  minutes.  The 
system  is  based  on  biometric  technol¬ 
ogy  from  Printrak.  A  central  back-end 
system  stores  the  citizens'  information, 
including  the  fingerprint  scans.  It  has 
redundancy  and  fault-tolerance 
features  to  avoid  downtime  and  loss  of 
data,  Safie  says.  The  country  has 
issued  more  than  3  million  IDs  (for 
about  half  the  population)  since 
November  2001.  -Juan  Carlos  Perez 


implemented 


3  0  CIO  MAY  15,  2003 


www.cio.com 


HOW  DO  YOU  IMPROVE  YOUR 
E-BUSINESS  EFFECTIVENESS? 


When  you  test  Web  performance,  what  you  really 
want  to  know  is  how  the  Web  is  affecting  your  bot¬ 
tom  line  .That's  where  Keynote  Systems  can  help. 

At  Keynote,  we  know  something  about  performance. 
We  have  been  benchmarking  the  world's  leading 
Web  sites  for  nearly  a  decade.  All  that  expertise  goes 
into  Keynote's  performance  testing  services  to  help 
you  measure  the  effectiveness  of  your  e-business. 

Keynote  offers  services  to  help  you  test  every  aspect 
of  your  e-business,  including  scalability,  capacity,  user 
experience,  and  content  integrity.  Our  performance 
testing  services  give  you  a  360-degree  perspective 
of  your  e-business  effectiveness. 

It's  the  least  you  can  expect  from 
the  Internet  Performance  Authority®. 

To  find  out  how  Keynote  testing  services  can 
improve  performance,  save  you  money,  and 
increase  your  e-business  effectiveness,  call 
1 -800-KEYNOTE  (800-539-6683),  or  go  to 
www.keynote.com/cio 


IMPROVING  THE  QUALITY  OF  E-BUSINESS  WORLDWIDE. 


©  2002  Keynote  Systems,  Inc.  Keynote  and  the  Keynote  logo  are  registered  trademarks  of  Keynote  Systems,  Inc.  All  rights  reserved. 


trendlines 


Off  the  Shelf 


Edited  by  Carol  Zarrow 


Nanotech:  Fact  and  Fiction 


Nanocosm:  Nanotechnology 
and  the  Big  Changes  Coming  from 
the  Inconceivably  Small 

By  William  lllsey  Atkinson 
Amacom,  2003,  $24.95 

NANOCOSM  is  a  mid¬ 
size  book  about  the 
big  ideas  surround¬ 
ing  an  incredibly 
small  technology. 

Author  William  lllsey 
Atkinson  rolls  out  a  road  map 
to  a  world  as  different  from  today’s  world 
as  today  is  from  the  age  of  the  horse  and 
buggy.  He  further  believes  that  that  road 
map  depicts  a  very  short  trip. 

Atkinson  conveys  descriptions  in  layman’s 
terms  and  interprets  conversations  with 


global  research  leaders  while  taking  readers 
through  the  history  of  nanotechnology  (the 
manipulation  of  the  structure  of  matter  at 
the  atomic  level).  He  demonstrates 
where  the  technology  stands  today  (it 
lets  tennis  balls  stay  inflated  much 
longer  than  ever  before,  for  instance)  and 
predicts  where  it’s  headed  in  the  future 
(DNA  computing  in  five  years,  nearly 
impervious  carbon  nanotube  fabrics  in  10). 

Atkinson  has  a  knack  for  making  highly 
technical,  theoretical  topics  seem  immedi¬ 
ate  and  visceral,  although  he’s  not  above 
being  a  bit  of  a  breathless  booster  at  times. 
In  short,  while  CIOs  won’t  find  anything 
here  to  take  to  the  next  board  meeting,  this 
book  is  full  of  interesting  ideas,  many  of 
which  may  have  a  serious  impact  on  our 
near-future  lives.  -Christopher  Lindquist 


Prey:  A  Novel 


By  Michael  Crichton 
HarperCollins  Publishers, 
2002,  $26.95 


FEELING  A  LITTLE  iffy 
about  nanotechnology? 
Do  you  think  man-made, 
microscopic  machinery  is 
too  much  for  humans  to  handle?  So 
does  Michael  Crichton.  In  his  latest  novel, 
Prey,  he  presents  the  nuts  and  bolts  of  nano- 


THE  NEW  BOOKSHELF 


technology  in  wonderful  detail  and  explores 
the  motivations  that  scientists  bequeath  to 
these  manpowered  particles.  In  the  story,  fool¬ 
hardy  scientists  implant  a  “predator/prey” 
program  into  the  atom-size  machines,  which 
gives  them  the  capacity  to  learn  and  evolve. 
Instead  they  develop  a  new  goal  for  them¬ 
selves:  to  hunt  living  things. 

This  is  the  point  at  which  Prey  morphs 
into  the  sci-fi  movie  it  is  destined  to  become. 
Before  you  know  it,  exponentially  evolved 
nanoclusters  have  formed  menacing  swarms 


You  can  translate  biology  into  information  and 
information  into  biology  because  both  operate 
on  the  basis  of  coded  instructions,  and  those 
codes  are  translatable.  When  you  get  down  at 
the  bottom  of  things,  code  is  simply  code. 

-From  It's  Alive:  The  Coming  Convergence  of  Information,  Biology  and  Business, 
by  Christopher  Meyer  and  Stan  Davis  (Crown  Business,  May  2003) 


32  CIO  MAY  15,  2003  •  www.cio.com 


5  Good  to  Great:  Why  Some  Companies 
Make  the  Leap. ..and  Others  Don’t 

By  Jim  Collins 

HarperCollins  Publishers,  2001 

4  Final  Accounting:  Ambition,  Greed, 
and  the  Fall  of  Arthur  Andersen 

By  Barbara  Ley  Toff  ler 
Broadway  Books,  2003 

3  Smart  Mobs:  The  Next 
Social  Revolution 

By  Howard  Rheingold 
Perseus  Publishing,  2002 

2  Pigs  at  the  Trough:  How  Corporate 
Greed  and  Political  Corruption  Are 
Undermining  America 

By  Arianna  Huffington 
Crown  Publishing  Group,  2003 


1 


World  on  Fire:  How  Exporting  Free 
Market  Democracy  Breeds  Ethnic 
Hatred  and  Global  Instability 

By  Amy  Chua 
Doubleday,  2002 


SOURCE:  APRIL  9,  2003,  DATA  COMPILED  BY 
WORDSWORTH  BOOKS,  CAMBRIDGE.  MASS 


of  human-hungry  micromachines  that  dart 
from  one  scene  to  the  next.  The  novel 
achieves  the  pace  of  a  movie  on  paper.  Fol¬ 
lowing  the  established  Crichton  creed,  this 
novel  captivates  the  reader  with  engaging  sub¬ 
ject  matter;  but  it  lacks  the  depths  of  nuance 
and  subtlety.  -Daniel  J.  Horgan 


cio.com  To  find  more  good  reads, 
visit  our  READING  ROOM  at  www.cio. 
com/books  and  Darwinmag. corn’s 
BOOK  ROOM  at  www.darwinmag.com/ 
connect/books. 


Advertorial 


How  Content  Management 
Technologies  Can  Deliver 


Bottom-Line  Results 

LEGATOsolutions 

Reduce  Costs,  Improve  Productivity  and  Increase  Efficiency 
Through  Enterprise  Content  Management 


Content  management  technologies  have  moved  beyond  their  traditional  mission  to 
capture  and  organize  data  for  better  access  and  retrieval.  The  real  benefits  of  today's 
content  management  strategies  are  reduced  costs,  improved  productivity  and  collabo¬ 
rative  business  processes.  With  the  ever-present  mandate  to  improve  ROI  and  lower 
Total  Cost  of  Ownership  (TCO)  for  IT  investments,  content  management  is  a  win/win  for 
both  IT  and  your  organization. 

Consider  some  of  your  own  core  business  functions  such  as  accounting,  human 
resources,  and  customer  support  —  chances  are,  you  are  still  using  a  combination  of 
paper  documents,  email,  manual  searches,  and  other  time-intensive  processes.  These 
inefficiencies  result  in  overhead  expenses,  rework  and  mistakes  —  but  the  good  news 
is  that  today's  content  management  technologies  can  make  significant  operational 
improvements  and  provide  tangible,  bottom-line  results. 

Automated  Processes  Integral  to  Business  Management 

Large  or  small,  public  or  private,  anywhere  in  the  world...  virtually  all  organizations  are 
driven  on  some  level  by  the  day-to-day  processes  that  support  business  operations. 
Today's  employees  know  that  their  organization  depends  on  their  ability  to  collect, 
manage  and  deliver  the  right  information  to  the  right  person  at  the  right  time.  That's  why 
many  organizations  are  implementing  automated,  integrated  content  management 
solutions.  With  integrated  content  management,  you  can  achieve  gains  in  three  critical 
areas: 

■  Productivity  -  Any  business  function  can  become  more  efficient  when  the  data  it 
needs  to  perform  that  function  is  readily  accessible  and  usable.  For  example,  with 
integrated  content  management,  an  accounting  staff  can  better  track  payables  and 
speed  up  payment  to  vendors  -  ultimately  improving  the  company's  credit  rating  and 
lowering  the  overall  cost  of  credit. 

■  Efficiency  -  With  integrated  content  management,  your  employees  will  be  able  to 
seamlessly  access,  retrieve  and  process  electronic  data,  versus  spending  time  on 
manual  searches  or  other  time-consuming,  outdated  processes. 

■  Compliance  -  In  most  organizations,  certain  types  of  data  must  be  retained  for  many 
years  for  auditing  and  tax  purposes.  Conversion  of  paper  documents  to  electronic 
formats  significantly  reduces  the  amount  of  storage  space  required  for  documents  - 
therefore  reducing  or  eliminating  your  costs  for  off-site  archival  storage.  And,  you 
can  readily  access  the  documents  you  need  in  the  event  of  an  audit  or  other 
enforcement  action,  speeding  resolution. 

Selecting  a  Content  Management  Solution  for  Your  Accounting  Function 

To  understand  the  benefits  that  can  accrue  from  an  integrated  content  management 
solution,  consider  the  accounts  payables  (AP)  function  -  a  universal  business  operation. 


An  integrated  content 
management  solution  for 
accounting  should  include: 

■  Electronic  repository  of  all 
accounting  data,  with 
Web-based  access  to  that  data 

■  Workflow,  or  business 
process  capabilities  to 
streamline  operations 

■  Integation  with  other 
software  applications 

■  Secure,  accessible  storage 
of  electronic  data  for 
cost-effective  storage  and 
compliance  requirements 


An  integrated  content  management  solution  for  AP  should 
include  five  core  capabilities: 

■  An  electronic  repository  of  all  source  documents  -  Your 
organization  will  speed  up  processing,  minimize  manual 
searches  and  create  a  valuable  repository  of  data  by 
converting  paper  documents  into  an  electronic  format.  This 
can  be  done  via  scanning  technologies  that  should  be  part 
of  your  overall  content  management  solution.  Scanning  also 
minimizes  the  space  and  overhead  associated  with  files  and 
boxes  of  paper  documents. 

■  Browser-based  access  to  accounting  data  -  A  Web 

interface  to  your  electronic  data  means  your  staff  can 
process  documents  no  matter  where  the  data  or  the  staff 
person  resides.  As  a  result,  your  staff  can  be  productive, 
regardless  of  location,  time  zones  and  other  constraints 
associated  with  traditional  accounting  processes.  The  AP 
operations  can  be  done  with  keystrokes  and  mouse  clicks, 
not  manual  searches,  faxes,  and  multiple  hardcopies. 

■  Workflow,  or  business  process  automation  capabilities  - 

Automating  specific  processes  in  accordance  with  your 
organization's  business  rules  can  dramatically  improve 
efficiency.  Once  a  particular  step  in  a  process  is 
completed,  say  matching  an  invoice  to  the  purchase  order  in 
the  accounts  payables  process,  the  document(s)  are 
automatically  forwarded  to  the  appropriate  person  for  the 
next  stop  in  the  process. 

■  Integration  with  existing  accounting  applications- The 

content  management  solution  you  select  needs  to  feature 
open  architecture  and  software  development  kits  to  allow 
for  easy  integration  with  your  existing  applications.  This 
type  of  integration  can  enable  users  to  access  documents 
directly  from  within  the  accounting  application. 

■  Data  protection  -  Finally,  no  integrated  content  manage¬ 
ment  solution  would  be  complete  without  secure,  accessible 
storage  and  data  protection.  Look  for  a  data  storage  and 
management  component  that  is  flexible  enough  to  let  you 
choose  the  storage  media  that  is  best  for  your  organization 
-  including  optical,  WORM,  Tape,  DVD  and  CD,  as  well  as 
newer  disk-based  options. 

In  addition  to  the  above  capabilities,  be  sure  to  select  a  content 
management  solution  that  is  backed  by  a  company  with  the 
experience,  resources  and  support  that  you  need. 


The  benefits  of  applying  content  management 
technologies  to  your  organization  include: 

■  Reduced  costs 

■  Improved  productivity  through  fewer  manual  processes 

■  More  efficient  use  of  document  and  other  content  that 
drives  day-to-day  operations 


LEGATO's  ApplicationXtender®  Suite,  Used  to  Streamline 
Processes  in  Thousands  of  Organizations  Worldwide 

As  you  evaluate  integrated  content  management  solutions  for 
your  organization,  be  sure  to  consider  LEGATO  Systems,  Inc. 
LEGATO  Systems  is  a  global  provider  of  data  management 
solutions  that  drive  operational  efficiency  and  business  continu¬ 
ity.  Our  integrated,  automated  content  management  solutions 
have  been  implemented  in  thousands  of  organizations  around 
the  world  in  many  industries  -  including  finance,  healthcare, 
telecommunications,  manufacturing  and  education. 

ApplicationXtender®,  the  core  of  LEGATO's  content  manage¬ 
ment  solution,  takes  a  unified  approach  to  data  collection, 
generation,  management  and  delivery.  It  enables  access 
through  a  universal  interface  by  intelligently  indexing,  organiz¬ 
ing  and  storing  data  from  across  the  enterprise.  Other  key 
components  of  LEGATO's  content  suite  include  WebXtender®, 
ERMXtender®  and  WorkflowXtender®. 

The  newest  addition  to  the  ApplicationXtender  family  is 
WorkflowXtender®  for  AP.  Designed  to  be  largely  an  "off  the 
shelf"  application,  WorkflowXtender  for  AP  helps  maximize  the 
efficiency  and  productivity  of  the  accounting  process.  It's  easy 
to  install  and  configure  and  provides  a  complete  solution  that 
captures  invoices  and  manages  the  review  and  approval  activi¬ 
ties  through  to  payment.  LEGATO  also  offers  customized 
workflow  solutions  for  accounts  payables. 

All  Xtender  products  are  built  on  a  solid  foundation  that 
includes  comprehensive  data  storage  management  through 
LEGATO's  award-winning  DiskXtender®  product,  which  provides 
virtually  infinite  storage  capacity  for  content.  In  addition, 
DiskXtender  allows  organizations  to  choose  the  storage  media 
that  best  meets  their  access,  retention  and  cost  requirements, 
including  NAS,  Optical,  WORM,  Tape,  DVD  and  CD,  as  well  as 
the  latest  ATA  disk-based  devices. 

The  ApplicationXtender  suite  provides  comprehensive  capture 
capabilities  for  your  enterprise  data,  including  imaging, 
electronic  file  support,  faxes  and  computer  output  reports  for 
both  traditional  COLD  (text-based  reports)  as  well  as  advanced 
printstreams  (AFP,  Metacode,  PCL  and  PDF).  The  suite  will  also 
capture  index  information  from  the  various  formats,  and  store 
the  indexes  in  a  centrally  available  repository  -  which  also 
creates  a  virtual  repository  for  all  content. 

ApplicationXtender  supports  a  comprehensive  content  manage¬ 
ment  strategy,  and  can  help  your  organization  achieve  signifi¬ 
cant  cost  savings  and  productivity  gains  for  an  outstanding  ROI. 

For  more  information  about  ApplicationXtender 
for  Accounting  and  LEGATO  Systems, 
visit  www.legato.com/solutions/accounting 
or  call  888-853-4286. 


H  LEGATO 

Keeping  the  World's  Business-Critical  Information  Available 


LEGATO  Systems,  Inc. 

2350  West  El  Camino  Real,  Mountain  View,  CA  94040  USA 

Tel  (650)  210.7000  •  (888)  853.4286  I  Fax  (650)  210.7032  I  www.legato.com 

For  a  complete  listing  of  LEGATO  Systems  offices  worldwide,  please  visit  http://www.legato.com/offices/ 


LEGATO  and  the  LEGATO  logo  are  registered  trademarks,  and  LEGATO  NetWorker,  NetWorker,  LM:,  Celestra,  GEMS,  SmartMedia,  Co-StandbyServer,  RepliStor,  SnapShotServer,  QuikStartz,  SAN  Academy,  AlphaStor,  ClientPak,  Xtender, 
XtenderSolutions,  DiskXtender,  ApplicationXtender,  ArchiveXtender,  and  EmaiIXtender  are  trademarks  or  registered  trademarks  of  LEGATO  Systems,  Inc.  This  is  a  non-exhaustive  list  of  LEGATO  trademarks,  and  other  trademarks  may  be  the 
property  of  their  respective  owners. 


Information  regarding  products,  services  and  offerings  may  be  superseded  by  subsequent  documents.  For  the  latest  information  and  specifications  regarding  LEGATO  Systems,  Inc.  and  any  of  its  offerings  or  services,  please  contact  your  local 
sales  office  or  the  Corporate  Headquarters.  ©2003  LEGATO  Systems,  Inc.  Printed  in  the  USA. 


Are  You 

Maximizing 

Your  Customer 

Relationships 


Do  you  understand  the  challenges  of  CRM?  How  can  you 
avoid  common  mistakes?  What  constitutes  a  well-defined 
strategy?  How  do  you  balance  CRM  with  privacy?  What  are 
affordable  ways  to  make  it  work?  Turn  to  the  CIO  FOCUS™  on 
CUSTOMER  RELATIONSHIP  MANAGEMENT:  MAXIMIZING 
REWARDS,  MINIMIZING  RISK-actionable  information 
created,  filtered  and  packaged  by  the  award-winning  editors 
of  CIO  magazine. 

CIO  FOCUS™  is  delivered  right  to  your  desktop  giving  you 
immediate  access  to  the  information  you  need.  And  for  your 
future  reference  needs,  the  electronic  file  is  followed  by  a 
packaged  version,  shipped  within  72  hours.  Available  now  at 
an  introductory  price. 

CIO  FOCUS M 

STRATEGIC  GUIDES  FOR  EXECUTIVE  DECISION  MAKING 


CIO  FOCUS™ 


Offshore  Outsourcing:  Navigating 
the  Opportunities  and  Risks 

Securing  Information  Assets: 
Planning,  Prevention  and  Response 

The  Elite  CIO:  Principles  and 
Practices  of  Top-Tier  IT  Leadership 

Fundamentals  of  Enterprise  IT 

The  Balanced  Scorecard 


The  Resource 
for  Information 
Executives 


FOR  EXECUTIVE  DECISION-SUPPORT  TOOLS,  VISIT  THE  CIO  STORE— -THE  CIO’S  KNOWLEDGE  MARKETPLACE. 

www.TheCIOStore.com 


I  AM  A  CISCO  1200 
SERIES  DUAL 
BAND  WI-FI 
ACCESS  POINT. 


I  AM  70  MORE 
MINUTES  OF 
PRODUCTIVITY  PER 
EMPLOYEE  PER  DAY 

I  AM  A  CISCO  WIRELESS  NETWORK.  I  HAVETHE  POWER  TO 
CONNECT  EMPLOYEES  TO  VITAL  DATA  WHEREVER  THEY  ARE. 
AND  DO  IT  SECURELY.  THAT  SAVES  TIME.  THAT  SAVES  MONEY. 
THAT  IS  POWERFUL.  I  AM  MORE  THAN  A  CISCO  1200  SERIES 
DUAL  BAND  WI-FI  ACCESS  POINT. 


THIS  IS  THE  POWER  OF  THE  NETWORK.  ITOW. 


Cisco  Systems 


2003  Cisco  Systems,  Inc.  All  rights  reserved,  Cisco  Aironet,  Cisco  Systems  and  the  Cisco  Systems  logo 
U.S.  and  certain  other  countries. 


cisco.com/mobilitynow 

red  trademarks  or  trademarks  of  Cisco  Systems,  Inc.  and/or 


trendlines 


HOMELAND 


SECURITY 


State  to  Share  Data  with  FBI 


INFORMATION  SHARING  is  key  to  beefing  up  homeland  security. 
As  part  of  that  initiative,  the  State  Department  will  soon  share  its 
database  of  50  million  visa  applications  with  the  FBI.  The  confi¬ 
dential  Consular  Consolidated  Database  contains  personal 
information  such  as  name,  date  of  birth  and  nationality.  It  also 
holds  about  20  million  photographs.  (Visa  records  are  currently 
shared  with  the  INS  at  ports  of  entry  for  verification  purposes.) 

Access  to  the  database  will  help  the  FBI  check  visa  records  as  it 
investigates  potential  terrorism  suspects.  The  bureau  has  been 
chastised,  especially  since  Sept.  11,  for  its  out-of-date  computer 
systems  that  make  it  difficult  for  agents  to  do  even  the  most  basic  file 
searches.  This  agreement  with  the  State  Department  is  one  initiative 
the  FBI  is  pursuing  as  it  modernizes  its  systems  and  makes  them 
compatible  with  other  government  networks. 

Like  other  information-sharing  initiatives  that  are  part  of  the 


federal  government's  push  for  e-gov  and  homeland  security  (see 
“A  More  Perfect  Union"  at  www.cio.com/printlinks ),  this  agree¬ 
ment  raises  the  eyebrows  of  privacy  advocates  who  fear  potential 
abuse  from  law  enforcement’s  increased  access  to  personal 
information.  Stuart  Patt,  a  spokesman  for  the  State  Department’s 
Consular  Affairs  Bureau,  emphasizes  that  local  law  enforcement 
agencies  will  not  have  direct  access  to  the  database,  as  has  been 
erroneously  reported  in  the  media. 

“There  is  some  improved  access  being  put  in  place  to  make  it 
easier  for  the  FBI  to  access  those  records  for  law  enforcement 
purposes.  If  the  FBI  is  working  with  local  law  enforcement  and 
clears  it  for  them  to  make  requests,  the  requests— as  far  as  we’re 
concerned— will  be  coming  from  the  FBI,"  Patt  says,  adding  that  the 
visa  records  will  remain  confidential.  "That  is  something  we  control 
carefully  to  be  sure  they  are  being  used  properly,"  -Todd  Datz 


G  I  S 


TECHNOLOGY 


In  Search  of  Columbia 


AT  7:59  A.M.  on  Saturday,  Feb.  1,  Darrel 
McDonald  was  walking  his  dog  in  Lufkin, 
Texas,  near  the  now  well-known  town  of 
Nacogdoches.  Minutes  later,  he  was  shaken 
by  a  series  of  explosions  as  the  space  shut¬ 
tle  Columbia  broke  up  far  overhead.  “I 
looked  up,  but  above  me  was  only  a  broad 
contrail,”  says  McDonald,  coordinator  of 
the  Humanities  Undergraduate  Environ¬ 
mental  Sciences  (HUES)  geographical  infor¬ 
mation  systems  lab  at  Stephen  F.  Austin 
State  University  in  Nacogdoches. 

Bill  Gardner,  project  coordinator  for  the 
HUES  GIS  lab,  was  eager  to  spend  that  day 
with  his  two  daughters  (to  read  more  about 
GIS  technology,  see  “Putting  IT  on  the 
Map,”  on  Page  114).  Minutes  after  the 
explosion,  though,  the  Nacogdoches  police 
called.  They  needed  a  data  acquisition  and 
analysis  system  to  generate  maps  of  fallen 
debris  for  the  search  teams.  “They  told  me 
[the  assignment],  and  I  said,  ‘All  right,  let’s 
go  to  work,’”  he  says.  Gardner  worked  vir¬ 
tually  nonstop  for  the  next  13  days,  sleeping 
on  a  cot  in  the  lab  for  the  first  five  nights. 

At  the  Federal  Emergency  Management 
Agency’s  request,  he  programmed  a  data 
dictionary  for  the  GIS  mapping  software 
and  loaded  the  data  fields  into  14  Trimble 
Navigation  GPS  units.  Student  and  alumni 


volunteers  showed  up  20  minutes  later.  “We 
were  loading  the  handhelds  as  they  were 
walking  in  the  door,”  Gardner  says. 

McDonald  organized  the  search  teams. 
“[By  10  a.m.]  we  had  three  teams  out,  and 
by  the  middle  of  the  day,  we  had  five,”  he 
says.  By  day  two,  he  and  Gardner,  along 
with  Jason  Gorgan  of  the  university’s  Forest 
Resources  Institute  (FRI),  had  14  teams  dis¬ 
patched.  Teams  were  assigned  to  search 
zones  based  on  data  received  from  police. 

When  the  teams  located  debris,  they 
logged  the  locations  and  other  data  on  the 


GPS  units.  Then  they  returned  to  the  lab 
where  Gardner  uploaded  the  raw  data  into 
the  GIS  system,  overlaid  a  topology  and 
generated  maps.  By  7  p.m.  every  day,  FRI 
members  compiled  the  miniature  maps  and 
produced  one  large  map  of  the  wreckage 
trail.  NASA  and  FEMA  workers  used  this 
map  for  the  remainder  of  the  search. 

“This  terrible  tragedy  allowed  a  lot  of 
people  the  opportunity  to  see  how  impor¬ 
tant  geospatial  technology  can  be  in 
responding  to  emergency  situations,”  says 
McDonald.  -Daniel  J.  Horgan 


Robert  Smith,  left,  a  U.S.  Forestry  Service  worker, 
wears  a  global  positioning  device  to  track  shuttle 
debris  in  Hemphill,  Texas,  during  a  February  search. 


_  •:  V 


3  6 


CIO  MAY  15,  2003 


www.cio.com 


PHOTO  BY  AP/WIDE  WORLD  PHOTOS 


Jennifer’s  customers  expect  real-time  access  to  information  like  order  status,  pricing  updates 
and  inventory  levels.  To  deliver  quality  service  and  keep  customers  coming  back,  Jennifer’s 
customer-facing  systems  must  be  integrated  in  real-time  with  backend  systems  running  on 
different  hardware  and  database  technologies.  DataMirror  LiveBusiness™  software  rapidly  and 
cost-effectively  bridges  disparate  systems  and  databases  to  ensure  that  the  data  Jennifer  needs 
is  integrated  and  available  in  real-time.  DataMirror’s  live  data  flows  empower  companies  of  all  sizes 
to  increase  revenues  and  improve  their  bottom  line  through  new  efficiencies,  enhanced  service  levels 
and  the  ability  to  do  business  24/7.  THE  WORLD  WORKS  IN  REAL-TIME.  SHOULDN’T  YOUR  BUSINESS? 


HOW  TO  DO  BUSINESS  WITH  DATAMIRROR 

WWW.DATAMIRROR.COM  1  800  362  5955 


DataMirror 

THE  EXPERIENCE  OF  NOW.™ 


VIEW  THE 

REAL-TIME 

ENTERPRISE 

FLASH  DEMO 

DATAMIRROR.COM/REALTIME 


Copyright  ©  2003  DataMirror  Corporation.  All  rights  reserved.  DataMirror,  LiveBusiness.  and  The  experience  of  now  are  trademarks  or  registered  trademarks  of  DataMirror  Corporation. 

All  other  brand  or  product  names  are  trademarks  or  registered  trademarks  of  their  respective  companies. 


trendlines 


Edited  by  Elana  Varon 


H  -  1  B  VISAS 

Foreign  Worker  Quota  Set  to 
Drop  Amid  Backlash 


CIOS  WHO  HAVE  RELIED  on  H-1B  visas  to 
keep  IT  labor  costs  down  may  want  to 
rethink  that  policy.  The  quota  for  H-lBs, 
which  confer  temporary  resident  status  to 
foreign  technology  workers,  is  set  to  revert  in 
October  from  the  current  1 95, 000-a-year 
limit  back  to  the  pre-Internet  boom  level  of 
65,000.  Harris  Miller,  president  of  the  Infor¬ 
mation  Technology  Association  of  America, 
which  has  led  efforts  to  hike  the  H-1B  quota 
in  the  past,  says  that  at  current  hiring  rates, 
if  the  quota  decreases  as  scheduled,  the  visa 
allotment  could  be  used  up  by  next  April. 

But  that  may  be  the  least  of  a  CIO’s  wor¬ 
ries.  The  unemployment  rate  among  Amer¬ 


ican  high-tech  workers  is  pushing  5  percent, 
which  is  leading  to  a  backlash  against  for¬ 
eign  IT  workers  and  the  companies  that 
sponsor  them.  One  manifestation  of  this 
backlash  is  a  recent  lawsuit  initiated  by  a 
former  Sun  Microsystems  employee  who 
alleges  the  hardware  vendor  deliberately 
laid  off  American  workers  and  replaced 
them  with  lower-paid  foreigners.  More  than 
500,000  U.S.  technology  workers  lost  their 
jobs  between  January  2001  and  December 
2002.  During  the  same  period,  companies 
sponsored  more  than  this  number  of  high- 
tech  workers  on  H-1B  and  other  tempo¬ 
rary  visas.  According  to  the  INS,  the 


median  salary  for  an  H-1B  worker  is 
25  percent  less  than  that  of  an  American’s. 

The  technology  industry  is  quietly  press¬ 
ing  Congress  to  keep  the  H-1B  cap  high. 
So  far,  there  isn’t  a  congressional  sponsor 
for  the  proposal,  but  the  tech  lobby  has 
powerful  allies.  When  the  current  quota 
was  set  in  October  2000,  House  leaders 
slipped  it  through  one  evening  after  many 
opponents  had  left  for  home,  and  H-1B 
detractors  are  convinced  the  same  thing  will 
happen  again.  Meanwhile,  the  controversy 
won’t  go  away,  and  it  could  affect  staff 
morale.  That’s  already  happening,  says 
David  Ray,  associate  director  of  the  Feder¬ 
ation  for  American  Immigration  Reform, 
which  lobbies  to  keep  immigration  levels 
low.  “Immigration  should  not  be  a  tool  to 
destroy  the  careers  of  American  workers,” 
says  Ray.  -Ben  Wortben 


SECURITY 

Cybersecurity  Agencies  Merge 


THE  DEPARTMENT  OF  HOMELAND  SECURITY  has  merged  three 
organizations  that  help  private  industry  cope  with  cyberemergen¬ 
cies— the  National  Infrastructure  Protection  Center,  the  National 
Communications  System  and  the  Federal  Computer  Incident  Res¬ 
ponse  Center— into  a  new  agency  called  the  Information  Analysis 
and  Infrastructure  Protection  (IAIP)  directorate.  The  purpose  of  the 
merger,  which  is  dictated  by  law,  is  to  eliminate 
overlap  and  address  gaps  in  how  the  government 
collects,  investigates  and  disseminates  information 
about  security  breaches.  DHS  Secretary  Tom  Ridge 
wants  $829  million  to  fund  IAIP  in  2004. 

For  now,  says  David  Wray,  acting  communica¬ 
tions  director  for  the  IAIP,  companies  won't  need 
to  change  how  they  share  information  with  the  gov¬ 
ernment.  Most  employees  who  transferred  will 
keep  the  same  jobs  in  the  new  directorate  for  now, 
and  Wray  advises  CIOs  to  maintain  the  relation¬ 


ships  they  have  with  staff  from  the  previous  organizations. 

Alan  Palier,  director  of  research  with  the  SANS  Institute,  a  pri¬ 
vate  organization  that  provides  research  and  education  about 
information  security,  says  the  consolidation  will  strengthen  gov¬ 
ernment's  cybersecurity  efforts.  But  concerns  linger  about  how 
effective  the  DHS  will  be  at  preventing  cyberattacks  during  the 
months-long  transition. 

In  testimony  before  the  House  Technology, 
Information  Policy,  Intergovernmental  Relations 
and  Census  Subcommittee  last  month,  former 
NIPC  Director  Michael  Vatis  said  it  could  take  at 
least  a  year  for  the  IAIP  to  ramp  up  fully.  That’s 
“troubling,"  says  Vatis,  who  now  heads  the  Insti¬ 
tute  for  Security  Technology  Studies  at  Dart¬ 
mouth  College,  because  the  number  and  severity 
of  cyberattacks  is  increasing. 

-Julie  Hanson  and  Elana  Varon 


3  8  CIO  MAY  15,  2003 


www.cio.com 


Introducing 

OCCTP" 

video  surveillance  for  the  digital  age 

Want  to  know  more? 

Simply  go  to  anixter.com/CCTP 

or  call  1-800-ANIXTER. 


•  40%  of  physical  security  departments  now  report  up 
through  IT. .  .and  that  number  is  increasing 

•  Video  surveillance  technology  will  be  an  IP-based  platform 

•  Current  video  surveillance  infrastructure  can't  handle 
today's  surveillance  needs,  much  less  tomorrow’s 
digital  applications 

•  CCTP  is  30%  less  expensive  than  traditional  CCTV  systems 

CCTP,  engineered  by  Anixter,  is  a  revolutionary  UTP-based 
video  surveillance  system  that  allows  you  to  run  standard 
video  surveillance  systems  at  a  lower  cost  today  while  being 
prepared  for  the  IP-based  video  surveillance  applications  of 
the  future. 

»CCTP  products  exclusively  manufactured  for  Anixter  by  Belden  and  Siemon. 


‘Winner  of  the  "Best  New  Technology"  Award  at  the  Federal  Office  Systems  Expo  (FOSE) 


trendlines 


CONTENT  MANAGEMENT 


Table  Your  Contents 


CRAIG  BAILEY  was  drowning  in  a  sea  of  dig¬ 
ital  documents.  “We  had  content  spread 
across  different  applications,  which  meant 
we  had  knowledge  we  couldn’t  make  good 
use  of,”  says  Bailey,  director  of  corporate 
intranet  applications  at  Procter  &  Gamble. 
Besides  representing  a  treasure  trove  of 
knowledge,  that  dispersed  data  caused  sup¬ 
port  and  validity  headaches. 

To  get  a  better  handle  on  its  con¬ 
tent,  the  consumer  goods  company 
began  installing  an  enterprise  con¬ 
tent  management  (ECM)  system 
from  Stellent  in  May  2002.  The 
software,  now  in  the  rollout  phase, 
will  eventually  let  P&G’s  100,000 
employees  pull  content  from  the  back-end 
system  into  their  application  of  choice. 

The  amount  of  content  employees  gen¬ 
erate  and  store  is  on  the  rise,  and  most  of 
that  is  not  structured  or  stored  in  such  a 
manner  that  it’s  easily  accessible.  According 
to  Meta  Group,  more  than  80  percent  of 
the  information  that  knowledge  workers 
need  is  unstructured — meaning  stored  as 


e-mail,  Word  documents,  images,  multi- 
media  or  other  digital  formats.  Because  of 
this  growth  of  unstructured  content,  the 
market  for  ECM  systems  is  poised  to  take 
off.  In  a  survey  of  400  companies,  Meta 
found  that  ECM  is  the  top  priority  in  2003 
for  companies  with  more  than  5,000  em¬ 
ployees.  ECM,  which  Meta  defines  as  tech¬ 
nology  to  enable  information  life 
cycle  management — the  creation, 
storage,  retrieval  and  distribution 
of  information — promises  to  trim 
costs  and  improve  collaboration. 

Vendors  are  starting  to  pay  at¬ 
tention.  Andrew  Warzecha,  Meta’s 
senior  vice  president  and  service 
director  of  e-business  strategies,  says  ven¬ 
dors  will  begin  offering  ECM  suites  this 
year.  By  2004,  he  expects  the  ECM  market 
will  be  worth  about  $10  billion  per  year. 

Alan  Pelz-Sharpe,  vice  president  of  re¬ 
search  and  consulting  at  Ovum,  sees  a 
rougher  road  ahead  for  ECM.  “Getting 
benefits  from  ECM  systems  will  require  an 
understanding  of  the  business  and  some 


Revenue  Forecast  for 
Enterprise  Content  Management 


Millions 


2003  2004  2005  2006  2007  Years 


SOURCE:  OVUM 


organizational  changes  to  how  work  gets 
done,”  he  says. 

At  P&G,  an  early  ECM  adopter,  orga¬ 
nizational  issues  have  already  cropped  up, 
Bailey  says.  To  enable  corporatewide  con¬ 
tent  searches,  for  example,  P&G  will  have 
to  enforce  a  strict  taxonomy  across  appli¬ 
cations.  Bailey  says  this  has  already  met 
with  some  resistance  among  P&G’s  user 
community.  -Megan  Santosus 


WIRELESS  IN  TERNET 

Because  It’s  There 


MOUNT  EVEREST  poses  many  chal¬ 
lenges.  Rough,  variable  weather.  Alti¬ 
tude  acclimatization.  Hazardous  ice- 
falls.  And  then  there’s  setting  up  an 
Internet  cafe  on  a  glacier  that  moves 
up  to  three  feet  a  day.  Tsering  Gyaltsen, 
the  grandson  of  Tenzing  Norgay,  the 
sherpa  who  accompanied  Sir  Edmund 
Hillary  on  his  1953  climb,  is  leading  a 
group  of  volunteers  to  establish  an 
Internet  cafe  at  the  base  camp  at  the 
foot  of  the  world’s  highest  mountain. 
The  cafe  is  expected  to  be  up  and  run¬ 
ning  this  spring. 

Since  hard-wiring  the  site  is  out  of  the 
question,  the  cafe  will  rely  on  802.11b 


Wi-Fi  technology,  routed  through  a  com¬ 
bination  of  satellite  antennas  and  wire¬ 
less  bridges.  A  LAN  in  a  tent  at  the  base 
camp  cybercafe  connects  the  wireless 
bridge  to  several  PCs. 

Dave  Hughes,  an  expert  on  wireless 
and  remote  access  technology,  is  advis¬ 
ing  Gyaltsen  on  installing  the  system.  He 
configured  a  mock  installation  near  his 
home  in  Colorado  Springs,  Colo.,  to 
ensure  that  once  everything  arrives  at 
Mount  Everest,  it  can  be  up  and  running 
in  days.  "This  is  a  pioneering  effort  in 
many  ways,  and  it  will  be  a  great  service 
to  technical  travelers  and  climbers,” 
says  Hughes.  -Julie  Hanson 


40  CIO  MAY  15,  2003  •  www.cio.com 


ILLUSTRATION  BY  MARTIN  O'NEILL 


•Aladdin 

SECURING  THE  GLOBAL  VILLAGE 


e  A  I  a  d  d  i 


Any  anti-virus  solution  can 
stop  a  known  threat. 

What  about  the  unknown? 


...  Bugbear...  Klez... 
Nimda. . .  hmmm. . .  nope. 
Don't  see  ’im  on 
the  list. 


F 


Okey-dokey. 

Sir,  you  can 
come  on  in! 


Upgrade  your  Gateway  and  Mail  server 
security  to  a  'smarter'  level  of  protection 
with  eSafe®.  eSafe  is  the  new,  proactive 
solution  that  scans  and  blocks  malicious 
"unknowns"  before  they  enter  your  network— 
before  they  show  up  on  anyone's  signature 
update  list.  The  result?  Tighter  security  with 
more  network  uptime  and  productivity. 

eSafe  enables: 

■  Strong,  around-the-clock  protection 
against  new  and  existing  viruses,  worms, 
spam,  and  hostile  email  attachments. 

■  High-speed  scanning  of  all  HTTP  and  FTP 
traffic,  closing  a  significant  security  hole 
for  large  organizations. 

■  Proactive  protection  against  known,  but 
unpatched,  security  exploits. 

Today,  the  average  cost  of  a  successful 
virus  attack  to  a  business  is  $283,000*. 

Be  proactive.  Move  up  to  the  award-winning 
protection  of  eSafe. 

Try  It.  Win  It.  Test-drive  eSafe  Gateway  or 
eSafe  Mail  and  you  could  win  up  to  a  5,000- 
user  license  for  one  year— a  $70,000  value! 
Go  to  eSafe.com,  call  us  at  1-800-562-2543, 
or  email  us  at  eSafe.us@eAladdin.com  for 
more  information. 


PROACTIVE  CONTENT  SECURITY 


m  ' '  . 


m/ 

& 


■& 


o 

SurfControl' 


H  H 1 

★  ★★★*  IlMl 


North  America:  1-800-562-2543,  847-818-3800  or  eSafe.us@eAladdin.com  International:  +972-3-636-2313  or  eSafe.il@eAladdin.com 
Germany:  eSafe.de@eAladdin.com  UK:  eSafe.uk@eAladdin.com  France:  info@Aladdin.fr  Benelux:  eSafe.nl@eAladdin.com 

*2002  CSI/FBI  Computer  Crime  and  Security  Survey 


©2003  Aladdin  Knowledge  Systems,  Ltd  eSafe  is  a  registered  trademark  off  Aladdin  Knowledge  Systems,  Ltd 


VOICE 


DATA 


The  world's  The  world's 

largest  farthest 

international  reaching 

voice  global  IP 

carrier  network 

will  make  will  make 


communications 

better 

TOGETHER 


Voice  claim  based  on  TeleGeography  2003  survey.  Data  claim  based  on  global  PoPs. 


Now,  long  distance,  local  calling  and 
Internet  service  will  be  together.  Voice 
and  data  networks  for  companies  large  and 
small  will  be  together.  The  innovations 
of  one  of  the  world's  largest  Internet 
providers  and  the  simplicity  of  one  global 
network  will  be  together.  Under  one  name; 


www.mci.com 


Patricia  Wallington  I  Total  Leadership 


After  You! 

Why  leaders  should  hone  followership  skills 

DID  YOU  EVER  PLAY  Follow  the  Leader  as  a  child?  Would  it  surprise 
you  to  learn  that  this  game  is  excellent  preparation  for  future 
leadership?  People  cannot  lead  effectively  if  they  have  not  first 
learned  how  to  follow.  Ineffective  followers  have  trouble  dis¬ 
tinguishing  when  it’s  time  to  follow  and  when  to  lead. 

The  Art  of  Followership 

There  are  probably  no  classes  or  seminars  offered  in  follower- 
ship.  It  might  indeed  be  an  art.  Let  me  share  a  few  of  the  char¬ 
acteristics  of  good  followers  that  I  have  observed  during  the 
course  of  my  career. 

Listening.  Good  listening  may  be  the  primary  characteristic 
of  good  followers.  Many  people  say,  “I  hear  you,”  but  did  they 
really  listen?  Listen  with  your  whole  brain  undistracted  by 
internal  dialogues.  Listen  in  order  to  understand. 

Focus.  Good  followers  tend  to  be  highly  focused  on  results. 
They  set  aside  any  personal  agendas  that  could  disrupt  that 
concentration. 

Egolessness.  Some  people  shine  only  when  they  are  in  the 
starring  role.  But  good  followers  are  comfortable  playing  a 

44  CIO  MAY  15,  2003  •  www.cio.com 


supporting  role.  They  have  honed  the  skills  they  need  to  lend 
support  from  the  background.  They  are  less  concerned  with 
credit  than  they  are  with  successful  completion  of  the  task. 

Relevance.  Good  followers  stay  close  to  the  working  envi¬ 
ronment  because  it  gives  their  contributions  a  sense  of  reality. 
This  is  particularly  important  for  executives  acting  as  follow¬ 
ers — like  CIOs.  Many  a  great  idea  has  fallen  flat  because  it 
lacked  relevance. 

Team  orientation.  The  team’s  effectiveness  is  a  high  priority 
for  good  followers.  They  do  what  will  make  the  team  succeed, 
sometimes  at  great  personal  risk.  For  them,  there  is  no  indi¬ 
vidual  success  if  the  team  fails. 

What  Leaders  Can  Learn  from  Following 

Followership  skills  can  enhance  your  ability  as  a  leader.  Being 
“The  Boss”  is  not  necessarily  the  best  approach  to  all  problems. 


ILLUSTRATION  BY  INGO  FAST 


VALUE  ROASTS 


DLT 

VS160 


DLT 

8000 


RELIANT 

corns  COMPANY 


I  RELIANT 


no  PURCHASE  NECESSARY  Go  to  cllttape.com  tor  olfici.il  rates.  Sweepstakes  ends  7/1/03.  Open  to  residents  of  the.  United  States  and  Canada  who  me  18  m  older  and  employed  as  « iS/lt  protes»imiat.  Void  in  Quebec. 

>2003  Quantum  Corporation.  All  rights  reserved.  OPTIONS  ARE  A  BEAUTIFUL  THING  DLTtape.  Super  DLTtape  and  Value  i'l  Rape  are  trademarks  and  the  DU  tape  logo  is  a  registered  irademafk  of  Quantum  Corporation 

All  other  trademarks  are  the  property  ot  their  respective  owners. 


Patricia  Wailington  I  Total  Leadership 


Sometimes  it  is  easy  to  get  so  enamored  of  leadership  that  you 
exclude  other  roles.  But  situations  in  which  it’s  best  for  you  to 
be  a  follower  are  opportunities  to  be  a  role  model  for  your 
organization.  Here’s  what  you  can  learn  by  being  a  follower. 

Listen.  Be  open  to  the  ideas  of  those  around  you.  Some  of 
the  best  ideas  come  from  within  the  organization;  don’t  lose  the 
opportunity  to  hear  them.  Be  sensitive  to  the  multiple  con¬ 
stituencies  you  represent,  and  ensure  their  views  are  heard. 

Learn.  What  challenges  and  obstacles  do  you  face  as  a  fol¬ 
lower?  Are  there  ways  to  eliminate  any  of  them?  It  is  much 
easier  to  recognize  these  things  when  you  are  in  the  role  of 


People  cannot  lead  effectively  if  they  have  not 
first  learned  how  to  follow.  Ineffective  followers 
have  trouble  distinguishing  when  it’s  time  to 
follow  and  when  to  lead. 


follower  instead  of  leader.  Take  note  and  plan  on  fixing  the 
problems  later  to  make  life  better  for  those  who  play  this  role 
every  day.  You  can  also  learn  how  difficult  it  is  to  gracefully 
follow  a  direction  with  which  you  disagree.  This  will  make 
you  more  empathetic  in  the  future  when  you  are  leading  on  a 
controversial  issue. 

Enjoy.  For  the  leader  who  carries  the  burden  of  responsibil¬ 
ity  every  day,  being  a  follower  can  be  a  fun  and  valuable  expe¬ 
rience.  The  view  is  different  as  a  participant.  Relax  and  enjoy 
the  opportunity  to  focus  on  a  single  task  rather  than  the  mul¬ 
titude  of  problems  that  fill  your  ordinary  day. 

Reward.  Support  the  followers  in  your  organization.  Their 
role  is  vital  to  everyone’s  success.  Be  sure  there  is  an  appropri¬ 
ate  balance  of  rewards  between  leaders  and  followers.  This 
will  encourage  your  staffers  to  hone  the  skills  and  gain  the 
experiences  that  will  ultimately  make  them  better  leaders. 

Train.  It  is  impossible  to  be  the  best  at  everything  you’ll 
encounter  in  the  course  of  doing  business.  When  all  eyes  turn 
to  you  for  every  answer,  learn  how  to  turn  responsibility  back. 
Use  low-risk  situations  as  opportunities  to  let  others  demon¬ 
strate  their  leadership  ability.  A  problem  that  someone  else  is 
more  qualified  to  solve  is  your  cue  to  step  back. 

I  once  stepped  into  an  operation  that  had  been  led  by  a 
strong  authoritarian  manager.  The  first  time  I  asked  the  staff, 
“How  do  you  think  we  should  do  this?”  I  could  see  the  fear  in 
their  eyes,  wondering  whether  it  was  a  test.  It  took  some  time 
to  establish  a  balance  of  followership  and  leadership,  but  it 
was  well  worth  the  effort. 


From  Follower  to  Leader 

If  you  want  to  make  the  journey  from  follower  to  leader,  these 
actions  will  facilitate  your  path. 

Observe.  Study  those  who  are  viewed  as  successful  leaders. 
Note  how  they  make  decisions,  handle  difficult  situations,  treat 
people  and  present  their  ideas.  Try  to  emulate  these  behaviors 
when  you  are  faced  with  similar  challenges.  It  takes  discipline 
to  stop  and  think  about  how  you  want  to  handle  a  problem 
instead  of  just  reacting,  but  with  enough  practice  it  will  become 
a  habit.  You  should  also  observe  those  who  are  not  strong 
leaders.  I  have  to  admit  I  learned  a  lot  about  what  not  to  do 
from  my  least  favorite  boss.  I  compiled  a 
long  list  of  things  I  would  never  do  when  I 
became  a  leader.  Hopefully,  I  have  lived  up 
to  that  goal. 

Test  different  perspectives.  You  know 
what  you  think  should  be  done — but  what’s 
the  view  from  above  you?  Is  there  something 
your  boss  would  focus  on  that  you  have 
ignored?  Have  you  taken  a  broad  enough 
approach?  Have  you  considered  all  the 
constituencies  that  need  to  be  represented? 
Learn  to  ask  yourself  these  kinds  of  questions  and  then  critique 
the  results.  Did  a  situation  turn  out  the  way  you  envisioned,  or 
did  you  learn  something  new?  How  could  you  have  learned  it 
before  taking  action?  This  process  will  help  you  adopt  a  higher 
perspective  to  enhance  your  leadership  journey. 

Seek  counsel.  Try  to  build  relationships  with  senior  leaders. 
Seek  their  advice  when  faced  with  difficult  decisions.  Doing  so 
will  help  you  understand  the  mind-set  of  those  at  the  top.  They 
can  also  provide  important  feedback  on  how  your  actions  are 
perceived.  I  got  a  lot  of  help  from  others  as  I  was  pursuing  my 
career.  Seeking  counsel  may  seem  difficult  the  first  time  you 
do  it,  but  I  always  found  people  to  be  gracious  with  their  time 
and  advice.  It  was  invaluable  assistance. 

Remember.  While  you  are  confidently  striding  down  the 
path  from  followership  to  leadership,  remember  the  journey. 
Remember  the  things  you  learned  and  the  people  who  helped 
you.  Try  to  reciprocate  by  helping  those  who  come  after  you. 

Learning  to  follow  well  will  make  you  a  better  leader — 
whether  you’re  in  that  position  now  or  working  your  way  up. 
And  both  good  followership  and  good  leadership  are  required 
for  a  successful  organization.  QEI 


What  have  you  learned  about  the  relationship 
between  leadership  and  followership?  Write  us  at 
leadership@cio.com.  Before  retiring  in  1999,  Patricia 
Wailington  was  corporate  vice  president  and  CIO  at 
Xerox.  She  is  now  president  of  CIO  Associates  in 
Sarasota,  Fla. 


4  6 


CIO  MAY  15,  2003 


www.cio.com 


Introducing  the  AMD  Opteron™  processor,  64-bit  computing  for  today’s  32-bit  world. 

It’s  the  only  processor  that  is  designed  to  run  your  32-  and  64-bit  applications  simultaneously  and  without  compromise. 
AMD  Opteron  runs  on  AMD64-a  breakthrough  architecture  that  enables  64-bit  technology  on  the  x86  platform- 
creating  a  new  class  of  computing  so  you  can  migrate  to  64-bit  technology  on  your  own  terms. 


The  world’s  highest  performing  2P  and  4P  servers  are  now  powered 
by  AMD  Opteron  processors.  Receive  the  performance  and  security  benefits  of 
64-bit  computing,  while  getting  the  best  32-bit  performance  available  anywhere. 


Opteron 


Leverage  your  existing  investments  while  preparing  for  the  future.  One  architecture 
across  one  enterprise  means  you  won’t  have  to  rip  and  replace  your  entire  infrastructure  when  you  transition 
to  64-bit  computing.  It’s  just  another  way  AMD  designs  and  builds  processors  with  you  in  mind.  For  a  closer 
look  at  the  financial  and  performance  advantages  of  the  AMD  Opteron  processor,  visit  www.amd.com/opteron 


©  2003  Advanced  Micro  Devices.  Inc.  All  rights  resawed.  AMD.  the  AMD  Arrow  logo,  AMD 
Opteron,  and  combinations  thereof  are  tradendfrks  of  Advanced  Micro  Devices,  Inc. 


Managing  desktop  security  can  be  challenging. 

. . .  t  .  /  4  ..  1  I  t  «...  I  .  .1  A  1  ..  <1  <  . 

That’s  why  there’s  Windows  XP  and  Office  XP. 


%•;.  •  33$®  tip 


mm 


:;0& 


Recognize  any  of  those  issues?  Or,  perhaps,  all  of  them? 
We  thought  so.  Many  of  these  issues  can  be  related  to  your 
legacy  desktop  software;  fortunately,  many  of  them  can  be 
addressed  by  features  in  Microsoft®  Windows®  XP  Professional 


Macro  Virus  Protection,  which  lets  you  easily  configure 
applications  to  help  prevent  users  from  running  the  macro 
attachments  that  most  viruses  use.  Want  more  reasons  to 
upgrade?  Visit  microsoft.com/desktop 


and  Microsoft  Office  XP  Professional.  Want  specific  examples? 
The  Group  Policy  feature  in  Windows  XP  Professional  lets  you 
define  related  user  groups  and  then  easily  assign  security 
settings  to  the  group  as  a  whole.  Office  XP  Professional  offers 


&  2002  Microsoft  Corporation.  All  rights  reserved  Microsoft  and  Windows  are  either  registered  trademarks  or  trademarks  of  Microsoft  Corporation  in  the  United  States  and/or  other  countries. 


X 


Michael  Schrage  I  Making  IT  Work 


It’s  All  About  the  Execution 


The  Voodoo 
Economics 


Behind  Utility 
Computing 


Before  you  sign  up  for  pay-as-you-go,  you  need  to 
understand  how  utilities  can  manipulate  and 
hide  the  true  costs  of  plugging  in 


THE  FRUSTRATED  GENERAL  MANAGER  of  a  fast-growing  division  of  a 
Fortune  100  pharmaceutical  company  decided  to  game  his  cor¬ 
poration’s  IT  budget  rules.  On  one  hand,  he  couldn’t  afford  to 
self-fund  a  supply  chain  initiative  he  thought  essential  to  his  group’s 
growth.  On  the  other,  corporate  wouldn’t  fund  division-driven 
apps  unless  the  group  committed  itself  to  an  unrealistic  ROI. 

The  business  manager  sat  down  with  his  IT  guru  and  crafted 
a  cunning  third  option:  Transform  the  supply  chain  initiative 
into  a  “value-added”  e-mail  initiative.  Why?  Because  e-mail- 
oriented  IT  initiatives  were  funded  by  corporate  as  “infrastruc¬ 
ture.”  The  manager  got  his  infrastructure  proposal  approved. 

So  what’s  the  real  difference  between  an  app  and  an  infra¬ 
structure?  That’s  easy:  Don’t  look  at  who  uses  it;  look  at  who 
pays  for  it.  Management — not  technology — determines  when 
an  app  is  an  infrastructure  and  an  infrastructure  is  an  app. 

The  current  incarnation  of  the  apps  versus  infrastructure 
debate  can  be  found  in  the  promises  of  the  pay-as-you-go  “infor¬ 
mation  utility”  metaphor  being  marketed  by  such  vendors  as 
Hewlett-Packard,  IBM  and  Sun  Microsystems.  “If  you  can  make 
[computing]  a  utility,”  HP  Senior  Technical  Adviser  Joel  Birn- 


baum  observes,  “that  means  your  network  is  on  all  the  time,  and 
you’ll  use  special  services  only  when  you  need  them.  If  you  do 
one  day’s  supercomputing  a  month,  you  don’t  need  to  own  it.” 

Indeed.  The  whole  marketing  idea  behind  information  utilities 
is  that  their  data  and  transactions — much  like  water  and  elec¬ 
tricity — are  available  whenever  you  need  a  sip  or  want  a  jolt. 
Utilities  are  infrastructures  that  facilitate  and  enable  apps.  Qual¬ 
ity  and  reliability  standards  exist.  Costs  are  more  or  less  pre¬ 
dictable.  Information-intensive  companies  such  as  J.P.  Morgan 
Chase  and  American  Express  seem  increasingly  convinced  that 
the  utility  analogy  is  the  smart  way  to  manage  their  businesses. 

There’s  legitimate  logic  to  this.  But  CIOs  investing  in  the  util¬ 
ity  paradigm  need  to  understand  what  they’re  really  imple¬ 
menting.  Any  serious  discussion  about  utilities  requires  a  brief 
appreciation  of  their  economics.  The  fact  is  that  the  history  of 
utilities  in  every  industry  is  a  history  of  regulation,  politically 


5  0 


CIO  MAY  15,  2003 


www.cio.com 


ILLUSTRATION  BY  GREG  MABLY 


imagine 


A  Java  application  management  solution 
that  allows  your  entire  organization  to  move 
in  the  same  direction  instead  of  fighting  to 
assign  blame. 

The  blame  game  is  over. 


Chances  are  that  your  team  knows  how  to  play  the  blame  game.  Here’s  how 
it  works:  your  new  mission-critical  enterprise  Java  application  sails  through 
the  QA  lab  with  flying  colors,  but  in  production  it  underperforms,  or  even 
crashes.  And  all  too  often,  correcting  the  problem  boils  down  to  guesswork 
and  finger-pointing— the  blame  game. 

Unfortunately,  the  people  in  charge  of  creating,  testing  and  monitoring  enter¬ 
prise  applications  can’t  talk  to  each  other.  It’s  not  because  they  need  more 
sensitivity  training,  group  hugs,  and  gurus.  It’s  because  they  need  a  common 
language  to  communicate  and  a  proven  management  solution  to  help  them 
find  and  fix  the  problem  fast.  They  need  Wily  4. 

Wily  4  gives  the  people  in  your  organization  the  real-time  information  they 
need  to  manage  and  fine-tune  production  applications  for  maximum  perform¬ 
ance,  isolate  bottlenecks  and  find  out  what’s  wrong  when  there’s  a  failure. 

Game  over. 

wily 

technology  J 

ENTERPRISE  JAVA  APPLICATION  MANAGEMENT 
1  888  GET  WILY  /  WWW.WILYTECH.COM 


Michael  Schrage  I  Making  IT  Work 


driven  cross-subsidies  and  monopoly  pricing — which  are  not 
necessarily  bad  things.  But  let’s  not  kid  ourselves  that  an  enter¬ 
prisewide  information  utility  would  be  anything  but  a  creature 
of  internal  and  external  regulation,  cross-subsidies  and  monop¬ 
oly,  no  matter  who  runs  it.  Numerous  empirical  studies  assert 
that  regulators  invariably  fall  captive  to  the  utilities  they  oversee. 
Executive  operating  committees  supervising  their  information 
utilities  may  share  that  same  fate. 

So  any  company  implementing  an  information  utility  isn’t 
implementing  a  cost-effective  ensemble  of  digital  networks  as 
much  as  creating  a  regulated  monopoly  destined  to  battle  over 
cost  allocations  for  bits,  bytes  and  bandwidth.  Why?  Because 
utility  economics  vastly  favors  cost  recovery  over  value  creation. 

When  a  utility  incorporates  a  feature  or  a  function,  one  way  or 
the  other,  it  seeks  subsidy  to  guarantee  a  return  on  its  investment. 
A  utility  is  a  social  construct  that  uses  cross-subsidies  to  assure  that 
everyone  has  access  to  the  desired  resource  at  an  “equitable”  price. 

To  be  sure,  a  utility’s  seeming  ability  to  exploit  economies  of 
scale,  standards  and  interoperability  makes  good  business  sense. 
In  fact,  these  arguments  for  corporate  information  utilities  sound 
familiar.  They’re  just  like  the  arguments  used  by  the  old  Bell 


Information  utilities  may  be  hazardous  to 
the  CIO’s  health  because  they  ignore  the  hard 
lessons  we’ve  learned  from  deregulation. 


system  to  justify  its  monopoly.  Ain’t  nostalgia  grand? 

The  best  reason  why  information  utilities  may  be  hazardous 
to  corporate  CIO  health  is  that  they  inherently  trivialize  the 
hard  lessons  we’ve  learned  from  deregulation  in  so  many  indus¬ 
tries  during  the  past  several  decades.  Energy  utilities  and  telcos 
developed  increasingly  complex  networks  of  financial  cross¬ 
subsidies  that  far  exceeded  the  technical  sophistication  of  their 
physical  networks.  Large  customers  subsidized  consumers  and 
vice  versa.  No  one — not  even  the  regulators — could  get  a  real 
grasp  of  costs.  The  clever  accountant  had  greater  impact  on  a 
utility’s  fortunes  than  a  brilliant  engineer. 

To  be  sure,  deregulation  has  its  debacles.  Enron’s  frauds 
immediately  come  to  mind.  The  hideously  mismanaged  dereg¬ 
ulation  of  California’s  power  grid.  The  savings  and  loan  scandals 
of  the  1980s.  But  these  examples  only  illuminate  the  larger  point: 
Ill-conceived  regulations  create  market  distortions  that  pervert 

economic  efficiencies  and 

undermine  business  effective- 

cio.com  Do  you  agree  with  T,  ... 

ness.  Utility  economics  are 

Michael  Schrage?  Go  to  the  online  version 

of  this  column  to  ADD  A  COMMENT  at  predicated  on  the  fundamen- 

www.cio.com.  tal  notion  that  a  regulated 

monopoly  will  allocate 


resources  more  efficiently  than  a  more  competitive  marketplace. 

Now,  I’d  be  the  first  person  to  agree  that  internal  competition 
for  IT  resources  is  not  likely  to  be  cost-effective.  But  I’m  the 
last  person  to  believe  that  a  dominant  information  utility  is  the 
most  economical,  responsive  and  cost-effective  approach  to  IT 
management  in  either  the  short  or  long  term. 

The  classic  spiel  supporting  information  utilities  is  that  cor¬ 
porate  customers  will  plug  in  apps  just  like  electric  utility  cus¬ 
tomers  plug  in  appliances.  The  sad  fact  is  that  not  all  plugs  are 
compatible.  Not  all  utilities  understand  how  to  manage  peak 
and  off-peak  pricing.  Monopolists  tend  to  be  lousy  collaborators. 
Indeed,  many  large  customers  annoyed  with  utility  pricing  actu¬ 
ally  go  off  the  grid.  They  explore  alternative  energy  sources. 

Utility  Computing’s  Siren  Call 

The  current  interest  in  information  utilities  reflects  that  corpo¬ 
rations  are  sick  and  tired  of  the  uncertainties,  risks  and  costs  of 
enterprise  computing.  Vendors  recognize  this.  That’s  why  the 
lure  of  an  outsourced  utility  is  so  tempting.  (Read  “Plug  and 
Play”  at  www.cio.com/printlinks.)  Then  again,  if  pay-as-you- 
go  info-utilities  were  really  the  way  to  go,  you’d  think  more 
businesses  would  use  chargebacks.  They  don’t.  What 
we  have  is  a  willful  ignorance  of  real  economics  and 
true  costs. 

There  is  no  point  in  trying  to  implement  an  infor¬ 
mation  utility  until  the  CIO  sits  down  with  the  CFO 
and  COO  and  explains  that  a  CRM  system  or  the  e- 
mail  network  can  either  be  infrastructure  or  apps.  Imple¬ 
menting  a  utility  means  using  a  cost  structure — nothing  more, 
nothing  less.  Allocating  costs  for  shared  services  is  an  account¬ 
ing  game,  not  technology  management.  That’s  equally  true  for 
recovering  costs  from  that  information  utility  investment. 

To  put  the  question  harshly,  how  do  we  know  we’re  being 
cost-effective  if  we  don’t  know  what  our  costs  really  are?  The 
CIO  as  “Information  Utility  CEO”  is  appealing  because  utilities 
are  so  good  at  concealing,  manipulating  and  cleverly  reallocat¬ 
ing  their  costs — at  least  until  some  serious  competition  comes 
along.  That’s  the  cynical  interpretation.  Here’s  a  kinder  one: 
CIOs  should  encourage  top  management  to  carefully  examine 
the  information  utility  idea  to  better  appreciate  how  their  inter¬ 
nal  marketplaces  distort,  pervert  and  misalign  IT  investments 
and  implementations.  The  accounting  costs  of  implementation 
can’t  be  divorced  from  the  implementation  of  accounting  costs. 
Tomorrow’s  IT  infrastructure  investments  should  be  determined 
by  the  business  value  they  can  create,  not  the 
accounting  loopholes  they  can  exploit.  HE! 

Michael  Schrage  is  codirector  of  the  MIT  Media  Lab’s 
eMarkets  Initiative.  He  can  be  reached  via  e-mail  at 
schrage@media.mit.edu. 


5  2 


CIO  MAY  15,  2003 


www.cio.com 


PHOTO  BY  JOHN  SOARES 


Out-of-the-Box 
Best  Practices 


Your  Business,  Your  Way.  " 

You  want  to  think  outside  the  box. 

Your  budget  calls  for  “out  of  the  box.” 
Don’t  you  wish  you  could  have  both? 


Now  more  than  ever  you  need  to  control  costs.  Software  solutions  implemented  straight  out  of  the  box  may  appear  cheaper  and 
faster  to  implement.  The  problem  is,  with  rigid  applications  dictating  how  you  run  your  business,  your  teams  risk  being  trapped 
inside  the  box. 

What  if  you  found  Service  Management  solutions  that  deliver  industry  best  practices-like  ITIL-and  also  empower  you  to  implement 
the  unique  processes  that  maximize  the  value  of  your  IT  and  service  support  organizations?  With  Remedy,  you  have  it  all. 

Remedy’s  Service  Management  software  solutions,  including  Help  Desk,  Customer  Support,  Asset  Management,  and  Change 
Management,  deliver  out  of  the  box,  and  outside  the  box-quickly,  easily,  within  your  budget. 


www.remedy.com/adva  ntage 

or  call  us  at  1.888.2945757 


Remedy 

a  BMC  Software  company  * 


Jack  Keen  I  Real  Value 

Practical  Counsel  for  Capturing  IT  Value 


Decisions 

IT  project  selection  has  many  pitfalls. 
Get  it  wrong  and  your  IT  portfolio  can  become  a 
nightmare.  Here  are  some  warning  signs 
and  solutions  to  help  you  improve  your  process. 

I.T.  PROJECT  DECISIONS,  and  the  ways  they  are  made,  inevitably  shape 
our  destiny.  Get  them  right  and  we  boost  business  success.  Get 
them  wrong  and  we  preside  over  investment  disasters. 

The  reality  is  that  not  only  are  IT  selection  decisions  tough, 
but  so  are  all  management  decisions.  Paul  Nutt,  professor  of 
management  sciences  at  Ohio  State  University’s  Fisher  College 
of  Business,  reports  in  his  recent  book,  Why  Decisions  Fail: 
Avoiding  the  Blunders  and  Traps  That  Lead  to  Debacles,  that 
more  than  50  percent  of  all  management  business  decisions 
fail,  sometimes  in  big  and  inglorious  ways. 

My  own  experience  suggests  that  IT  investment  decision 
methods  fare  no  better  This  is  not  surprising,  since  IT  projects  are 
often  controversial,  complex,  costly  and  fraught  with  unknowns. 
These  challenges  frequently  foster  closed-door,  decision  team  delib¬ 
erations  where  too  often  emotions  trump  reasoning.  Prejudice, 
bias  and  ignorance  dominate  the  discourse.  Politics  rule  the  day. 

Fortunately,  this  situation  is  not  beyond  repair.  Warning 
signs  exist  that  you  are  not  making  good  decisions.  Honestly 
analyzing  your  own  IT  project  decision  process  is  the  first  step 
to  fixing  what  may  be  wrong. 


Warning  Signs 

Here  are  some  symptoms  I  often  detect,  followed  by  suggestions 
for  remedies.  If  you  find  at  least  one  of  these  signs  present,  I  sug¬ 
gest  an  immediate  “process  tune-up.”  If  several  of  these  indi¬ 
cators  exist,  a  downright  makeover  may  be  called  for. 

No  self-criticism:  Decision-makers  frequently  won’t  critique 
the  objectivity  and  effectiveness  of  their  own  IT  project  selection 
methods.  (Risk:  Decision-making  flaws  continue  to  do  their  dam¬ 
age  and  give  employees  the  message  that  management  doesn’t 
“walk  the  talk”  of  continuous  improvement  process  initiatives.) 

Poor  external  communication:  IT  selection  team  members 
don’t  clearly  explain  to  project  stakeholders  why  individual 
projects  were,  or  were  not,  accepted.  (Risk:  Proposers  of  losing 
projects  feel  alienated,  thus  festering  resistance  to  funded  proj¬ 
ects.  It  also  discourages  future  project  submittals,  since  sponsors 
find  it  frustratingly  difficult  to  predict  likely  success.) 


5  4  CIO  MAY  15,  2003 


www.cio.com 


(.LUSTRATION  BY  ANTHONY  FREDA 


Enterprise  Intelligence  |  Supplier  Intelligence  |  Organizational  Intelligence  |  Customer  Intelligence  |  Intelligence  Architecture 


Build  a  scalable 
data  warehouse 
with  a  single 
point  of  control. 


SAS®  provides  a  high-impact,  low-risk  way  to 
achieve  intelligent  data  warehousing.  You  can 
extract,  transform  and  load  data  from  any  source, 
across  any  platform,  while  assuring  quality.  Simplify 
the  way  you  create  and  customize  reports.  And 
deliver  a  shared  version  of  the  truth.  To  find  out 
how  top  companies  reap  bottom-line  rewards 
with  SAS  software -by  leveraging  the  value  of 
data  from  corporate  systems,  e-business  channels, 
the  supply  chain  and  beyond-visit  us  on  the  Web 
or  call  toll  free  1  866  270  5727. 

www.sas.com/warehouse 


The  Power  to  Know® 


SAS  and  all  other  SAS  Institute  Inc.  product  or  service  names  are  registered  trademarks  or  trademarks  of  SAS  Institute  Inc.  in  the  USA  and  other  countries.  ®  indicates  USA  registration. 
©  2003  SAS  Institute  Inc.  All  rights  reserved.  232130US.0503 


Jack  Keen  I  Real  Value 


Lack  of  change:  Decision-makers  have  not  visibly  changed 
their  IT  selection  decision  process  within  the  past  year,  regard¬ 
less  of  whether  “self-critiques”  are  conducted.  (Risk:  Decision 
methods  become  out-of-step  with  business  climate  changes.  For 
example,  should  risk  analysis  be  more  important  now  than  last 
year?  Should  different  people  be  involved  in  the  selection  process 
because  of  business  strategy  shifts?) 

Secrecy  is  culturally  justified:  Decision-makers  claim  that 
“formalized  and  open”  selection  processes  are  counter  to  the 
company’s  culture.  Management,  they  assert,  is  highly  experi- 


IT  projects  are  often  controversial,  complex,  costly 
and  fraught  with  unknowns.  These  challenges 
frequently  foster  closed-door  deliberations  where 
too  often  emotions  trump  reasoning. 


enced  and  has  worked  well  together  for  years.  The  implica¬ 
tion:  Trust  us,  we  know  what’s  best  for  you.  (Risk:  Even  if 
good  selection  decisions  are  actually  being  made,  suspicion  and 
mistrust  are  easily  nourished  among  the  rank  and  file  who, 
being  in  the  dark,  suspect  the  worst.) 

Intangibles  are  resisted:  Management  decrees  that  only 
quantifiable  benefits  count  in  a  project’s  justification.  (Risk: 
The  reality  is  that  all  decisions  involve  intangible  factors, 
whether  management  admits  it  or  not.  Flidden  intangibles  can 
mean  harder- to-quantify  strategic  projects  are  rejected  and 
easier-to-quantify  tactical  projects  are  accepted.) 

Selection  criteria  is  ambiguous:  The  criteria  for  selecting 
projects  is  vague.  (Risk:  Competing  projects  are  not  consis¬ 
tently  evaluated,  thus  inviting  emotions  and  politics  to  carry 
the  day.  Project  submitters  then  view  the  process  as  a  dice  roll, 
leading  to  indifference  during  implementation  time.) 

Comparison  methods  are  inexact:  Instead  of  visibly  scoring 
and  ranking  the  attributes  of  each  proposed  IT  project,  and  then 
comparing  the  results,  management  simply  talks  about  its  impres¬ 
sions  and  preferences.  At  the  end  of  the  discussion,  selection  deci¬ 
sions  mysteriously  emerge.  (Risk:  Zero  opportunity  exists  to 
improve  the  process,  since  few  footprints  exist  for  later  review.) 


STEP  ONE:  Establish  the  need  for  improvement.  Most 
busy  managers  are  completely  unaware  of  the  traps  of  deci¬ 
sion  making.  Get  the  attention  of  the  IT  selection  team  by 
reviewing  any  warning  signs  detected.  Cast  this  review  as  one 
component  of  proactive  corporate  governance  that  boards  and 
stakeholders  now  so  earnestly  seek.  Make  the  point  that  deci¬ 
sion  process  transparency  breeds  trust,  not  only  in  financial 
matters  but  also  in  IT  selection  decisions. 

STEP  TWO:  Strengthen  all  three  components  of  the  selec¬ 
tion  process.  Effective  processes  have  reliable  inputs,  analyses 

and  outputs.  For  IT  selection  meth¬ 
ods,  this  means: 

■  Good  inputs — Each  proposed 
project  should  have  a  comprehensive, 
accurate,  trustworthy  (yet  succinct) 
business  case  clearly  outlining  costs, 
benefits  and  risks.  Submit  business 
cases  via  standardized  templates. 

■  Dependable  analyses — Objec¬ 
tively  compare  projects  using  stan¬ 
dardized  decision  criteria,  focusing 
on  the  degree  of  each  project’s  align¬ 
ment  to  the  vision,  values  and  goals  of  the  enterprise.  Use 
weighted  scoresheets  to  quantify  and  compare  differences. 

■  Explanatory  outputs — Provide  sponsors  of  winning  and 
losing  project  proposals  with  written  explanations  of  the  team’s 
pro  and  con  assessments  leading  to  the  selection  decision. 

STEP  THREE:  Finally,  proactively  garner  support  for  the 
process.  Take  time  to  be  sure  that  the  following  key  stake¬ 
holders  believe  the  selection  process  to  be  straightforward, 
accurate  and  fair:  the  selection  team;  senior  executives  who 
are  not  part  of  the  selection  team;  midlevel  managers  and 
operations  people  (typically  the  key  proposers  and  imple- 
menters  of  new  systems);  partners  and  suppliers  impacted  by 
selection  decisions;  and  investors.  If  enthusiasm  is  lacking, 
find  out  why  and  fix  it.  I  recall  one  instance  where  the  sim¬ 
ple  act  of  explaining  the  existing  selection  process  to  those 
outside  the  decision  circle  actually  converted  their  suspicions 
into  support. 

I  hope  that  making  the  decision  to  review  your  IT  project 
selection  process  is  an  easy  one  for  you.  Your  total  investment 
in  this  simple  critique  can  be  less  than  10  percent  of  the  losses 
from  a  single  selection  mistake.  That’s  not  a  bad  personal  ROI 
for  improving  your  company’s  IT  ROI.  HH 


Solutions 

Take  heart.  Even  if  you  have  one  or  more  of  the  warning  signs, 
there  is  hope.  These  problems  can  be  fixed,  once  management 
sees  the  need  for  change.  Here’s  a  three-step  method  for  mak¬ 
ing  it  happen. 


Jack  Keen  is  founder  and  president  of  the  Deciding 
Factor  ( www.decidingfactor.com )  and  coauthor  of 
Making  Technology  Investments  Profitable:  ROI  Road 
Map  to  Better  Business  Cases.  He  can  be  reached  at 
jack_keen@compuserve.  com . 


5  6 


CIO  MAY  15,  2003 


www.cio.com 


The  Goodyear  Tire 
&  Rubber  Company 
drives  on  Enterasys. 


And  increases  productivity  at  more  than  twice  the  industry  rate. 

When  The  Goodyear  Tire  &  Rubber  Company  looked  to  improve  operational 
efficiency,  it  called  on  long-time  solutions  vendor,  Enterasys  Networks.  The  upgraded 
infrastructure — powered  by  an  intelligent,  high-performance  backbone — has  delivered 
dramatic  increases  in  bandwidth  to  support  growing  user  and  application  demands. 
At  the  same  time,  the  enhanced  visibility  of  the  network  has  simplified  management, 
reduced  costs  and  maximized  uptime. 

The  bottom  line:  Thanks  to  a  Business-Driven  Network  from  Enterasys,  productivity 
jumped  by  6%,  allowing  Goodyear  to  maintain  its  competitive  edge. 

For  the  full  story,  go  to  enterasys.com/goodyear 


ENTERASYS 


NETWORKS 


Products.  People. 
Problems  solved. 

From  servers  to  service,  Dell  has  the  solution. 


Dell  |  Small  and  Medium  Business 

Your  business  has  unique  needs.  It  deserves  a  unique  solution.  From  PowerEdge™  servers  featuring  Intel® 
Xeorf  processors  to  PowerVaulf  Storage  and  PowerConnecf  Network  Switches,  we  offer  tailored  solutions  to 
meet  your  business  needs.  And  of  course  it's  Dell,  so  you  know  you're  getting  the  latest  technology.  But  that's  only 
half  of  the  story.  Dell  offers  consulting  services  that  range  from  deployment  and  installation  to  training  and 
certification.  All  from  one  source.  And  everything  is  backed  by  thousands  of  service  and  support  people  at  your 
beck  and  call,  on-site,  online  and  on  the  phone.  Suddenly  your  IT  infrastructure  doesn't  seem  so  daunting.  Let  Dell's 
one-of-a-kind  solutions  put  you  on  the  path  to  one-of-a-kind  success. 

Dell  Rated  #1  in  Intel-Based  Server  Satisfaction 

Technology  Business  Research 
Corporate  IT  Buying  Behavior  and  Customer  Satisfaction  Study 

Third  Quarter  2002 
-  December  2002 


Call:  M-F  7a-8p  Sat  8a-5p,  CT 

Pricing,  specifications,  availability  and  terms  of  offer  may  change  without  notice.  Taxes  and  shipping  charges  extra,  and  vary  and  not  subject  to  discounts.  U.S.  Dell  Small  Business  new  purchases  only.  Dell  cannot  be  held  responsible  for  errors 
in  typography  or  photography. 

‘This  device  has  not  been  approved  by  the  Federal  Communications  Commission  for  use  in  a  residential  environment.  This  device  is  not.  and  may  not  be.  offered  for  sale  or  lease,  or  sold  or  leased  for  use  in  a  residential  environment  until  the 
approval  of  the  FCC  has  been  obtained. 

Service  may  be  provided  by  third  party.  Technician  will  be  dispatched  following  phone-based  troubleshooting.  Subject  to  parts  availability,  geographical  restrictions  and  terms  of  service  contract.  Service  timing  dependent  upon  time  of  day  call 
placed  to  Dell.  U.S.  only.  -Monthly  payment  based  on  48-month  60  Days  Same-As-Cash-QuickLoan  with  46  payments  at  9.99%  interest  rate.  Your  interest  rate  and  monthly  payment  may  be  same  or  higher,  depending  on  your  creditworthiness. 


Remote  Office  &  Fiie/Print  Sharing  Web  Server 


Database 


PowerEdge™  1650  Server 


PowerEdge™  600SC  Server 

Entry-Level  Server  with  Performance  Features 

•  Intel®  Pentium®  4  Processor  at  2.40GHz 

•  128MB  266MHz  ECC  DDR  SDRAM 

•  Upgradeable  to  4GB  of  Memory 

•  36GB  (10K  RPM)  SCSI  Hard  Drive  (Up  to  146GB  HD  Avail.) 

•  Upgradeable  to  584GB  of  Internal  Hard  Drive  Storage 

•  Embedded  Intel®  PRO  Gigabit50  NIC 

•  Five  PCI  Expandability  Slots  (4-64/33MHz,  1-32/33MHz) 

•  1-Yr  24x7  Dedicated  Server  Phone  Tech  Support 

•  1-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 

Cf* *  yj  as  low  as  $18/mo„  (46  pmts”) 

E-VALUE  Code:  17630-S20506 


Highly  Available  1U  Rack-Optimized  Server 

•  Intel®  Pentium®  III  Processor  at  1 .1 3GHz 

•  Dual  Processor  Capable  (Up  to  1 ,40GHz) 

•  256MB  1 33MHz  ECC  SDRAM  (Up  to  4GB) 

•  36GB  (1QK  RPM)  SCSI  Hard  Drive  (Up  to  146GB  HD  Avail) 

•  Upgradeable  to  438GB  of  Internal  Hard  Drive  Storage 

•  Dual  Embedded  Intel®  PRO  Gigabit50  NICs 

•  Two  PCI  Expandability  Slots  (2-64/66MHz) 

•  Hot-Swap  Redundant  Cooling  Fans 

•  3-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 


PowerEdge™  2650  Server 

2U  Scalable  Rack  Server  with  High  Processing  Power 

•  Intel®  Xeon"1  Processor  at  2.40GHz 

•  Dual  Intel®  Xeon”  Processor  Capable  (Up  to  2.80GHz) 

•  256MB  200MHz  ECC  DDR  SDRAM  (Up  to  6GB) 

•  36GB  (10K  RPM)  SCSI  Hard  Drive  (Up  to  146GB  HD  Avail.) 

•  Upgradeable  to  730GB  of  Internal  Hard  Drive  Storage 

•  Dual-Embedded  Gigabit50  NICs 

•  Dual-Channel  Integrated  SCSI  Controller 

•  Active  ID  Front  Bezel  for  Monitoring  System  Health 

•  3-Yr  Next  Business  Day,  On-Site  Service3 

•  Small  Business  Pricing 


*1299 


as  low  as  $35/mo,  (46  pruts?3) 

E-VALUE  Code:  17630  820512c 


*1799 


as  low  as  $49/mo„  (46  pmts?0) 

E-VALUE  Code:  17630- S20517c 


For  a  complete  server  solution  we  recommend  these  additions: 
•  Custom-Install  Site  Survey,  add  $199 
»  PV100T-TR5  Internal  Tape  Back-Up,  add  $199 


For  a  complete  server  solution  we  recommend  these  additions: 

•  PowerConnect  3024*  Managed 
24+2GB  Ethernet  Switch,  add  $599 

•  Custom-Install  Site  Survey,  add  $199 


For  a  complete  server  solution  we  recommend  these  additions: 

•  PowerConnect  3248*  Managed  48+2GB  Switch,  add  $999 

•  PowerVault  112T  DDS4  (Dual  Drive  Capable) 

Tape  Back-Up,  add  $1499 


The  answers  you  need. 


Easy  as 


D*LL 


Click  www.dell.com/bizsolutions  Call  1-877-970-3355 

toll  free 


If  you  do  not  pay  the  balance  within  60  days  of  the  QuickLoan  Commencement  Date  (which  is  five  days  after  product  ships),  interest  will  accrue  during  those  first  60  days  and  a  documentation  fee  may  apply.  OFFER 
VARIES  BY  CREDITWORTHINESS  OF  CUSTOMER  AS  DETERMINED  BY  LENDER.  Minimum  transaction  size  of  $500  required.  Maximum  aggregate  financed  amount  for  the  paperless  acceptance  QuickLoan  not  to  exceed 
$25,000.  If  your  order  exceeds  $25K,  a  Dell  Financial  Services  rep  will  contact  you  to  process  your  documentation.  Taxes,  fees  and  shipping  charges  are  extra  and  may  vary.  Not  valid  on  past  orders  or  financing. 
QuickLoan  arranged  by  CIT  Bank  to  Small  Business  customers  with  approved  credit.  “This  term  indicates  compliance  with  IEEE  standard  802. 3ab  for  Gigabit  Ethernet,  and  does  not  connote  actual  operating  speed  of 
IGB/sec.  For  high  speed  transmission,  connection  to  a  Gigabit  Ethernet  server  and  network  infrastructure  is  required.  Dell,  the  stylized  E  logo,  E-Value,  PowerEdge,  PowerConnect  and  PowerVault  are  trademarks  of 
Dell  Computer  Corporation.  Intel,  Intel  Inside,  Pentium  and  Xeon  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  ©2003  Dell  Computer 
Corporation.  All  rights  reserved 


GO 

Online  For 
Latest  Prices 
and  Weekly 
Promotions 


Cover  Story  |  Application  Security 


Don’t  blame  Microsoft.  Don’t  blame  the  hackers. 

BI3ITI6  yourself  for  insecure  software. 

Better  yet,  stop  blaming  and  start  movingtoward  operational  excellence. 


BY  SCOTT  BERINATO 


Reader  ROI 

►  The  10  basic  software 
vulnerabilities 

►  The  tools  to  fix  them 

►  Why  CIOs  finally  have 
the  upper  hand 


This  past  winter,  a  worm  known  as  Slammer  rattled  the  Internet  vio¬ 
lently  enough  to  become  what  you  might  call  a  “CNN-level  virus” — 
that  is,  it  burrowed  its  way  into  the  national  consciousness. 

Nearly  everything  about  the  SQL  Slammer  was  old.  It  was  an  old 
hack  that  exploited  a  year-old  vulnerability  found  in  an  old  target, 
Microsoft  software.  There  was  a  patch  to  block  Slammer  that  was  six 
months  old,  and  that  patch  suffered  from  an  old  patch  problem:  It  was 
so  kludgy  to  install  that  the  patch  needed  a  patch.  Above  all,  the  reac¬ 
tion  to  Slammer — the  call  to  use  the  event  to  build  security  aware¬ 
ness — was  so  old  it  called  Bob  Hope  “kid.” 

But  this  much  was  new:  Everyone  agreed  that  Slammer  was  your  fault. 

HOW  TO  SAVE  $60  BILLION 

The  old  game  was  to  blame  Microsoft.  “Microsoft  did  not  protect  its 
customers,”  read  a  letter  to  The  New  York  Times  after  the  Melissa 
virus  hit  in  1999.  A  year  later,  after  the  I  Love  You  virus  infected 
Microsoft  Outlook,  a  Washington  Post  editorial  stated,  “This  is  a  soft¬ 
ware  development  problem.”  The  Nimda  worm  (2001),  according  to 
Forrester  Research,  required  625  combinations  of  patches  applied  to 
Microsoft’s  Internet  Information  Server.  Nimda,  along  with  its  con¬ 
temporary,  the  Code  Red  virus,  eventually  compelled  Microsoft  to 
implement  and  market  Trustworthy  Computing,  an  initiative  aimed  at 
helping  Microsoft  developers  learn  how  to  write  secure  code. 


60  CIO  MAY  15,  2003 


www.cio.com 


mm. 


mmm 

tittts 


felt??: 


mmwmm 

‘*  fyS^Vty  ■  -'  v  ,^ ■  1 


There's  a  relationship  between  individuals  not 
taking action  and  how  bugs  and  viruses  spread 
out  of  control,”  says  Bob  Ferderer,  VP  of  IT  and 
security  at  CUNA  Mutual  Group. 


S  jmsmaoBaamuJ 

;  *  ;@S;s5>4v 

.  . . .  '  -•  ••  v-,v  f '  '4.  '5 '•■  •->%• 

Cover  Story  |  Application  Security 


BUG  ECONOMICS 


Most  bugs  are  found  after 
development... 


20% 

Bugs  found  ■ 
pre-development 


But  that’s  when  a  bug  is 
most  expensive  to  fix 


PRE-DEVELOPMENT  POST-DEVELOPMENT 


80% 

-  Bugs  found 
post-development 


SOFTWARE  LIFE  CYCLE 


Design  Coding  Internal  Beta  Post¬ 
testing  testing  release 

So  why  are  you  waiting  so 
long  to  fix  them? 


SOURCE:  NIST  REPORT,  “THE  ECONOMIC  IMPACTS  OF  INADE¬ 
QUATE  INFRASTRUCTURE  FOR  SOFTWARE  TESTING,"  2002 


Slammer,  though,  hasn’t  followed  the  old 
pattern.  A  developing  consensual  wisdom 
suggests  that  as  woeful  as  Microsoft’s  prod¬ 
ucts  may  be,  CIOs  have  been  equally  sloppy. 
A  February  poll  of  more  than  200  IT  pro¬ 
fessionals,  by  antivirus  company  Sophos, 
showed  that  64  percent  of  respondents 
blamed  their  peers’  lax  security  practices  for 
Slammer.  Only  24  percent  blamed  Microsoft. 

The  poll  also  revealed  that  only  43  per¬ 
cent  of  the  respondents  said  they  subscribed 
to  Microsoft’s  vulnerability  mailing  list, 
which  provides  early  alerts  of  viruses  in  the 
wild.  Twelve  percent  said  they  relied  on 
“mainstream  news” — newspapers  and 
TV — to  learn  about  new  viruses.  Three  per¬ 
cent  said  they  “don’t  really  hear  about  them 
at  all.”  And  19  percent  said  they  patched 
software  when  they  “got  around  to  it.” 

“I’ve  got  to  look  around  at  my  comrades 
and  ask,  Why  aren’t  you  patching  your  sys¬ 
tems?”  says  Bob  Ferderer,  vice  president  of 
IT  internal  operations  and  security  at  CUNA 
Mutual  Group,  the  nation’s  largest  financial 
service  provider  for  credit  unions,  with 
5,000  employees  and  $9.3  billion  in  assets. 
“There’s  a  relationship  between  individuals 
not  taking  action  and  how  these  things 
spread  out  of  control.” 

What  frustrates  Ferderer  and  other  secu¬ 
rity  experts  is  the  fact  that  this  seemingly 
intractable  problem  is  actually  quite  tractable. 
The  tools  and  strategies  to  prevent  another 
Slammer  are  just  waiting  to  be  used.  In  fact, 
the  number  of  tools  and  strategies  available 
to  you — and  available  at  a  reasonable  cost — 
makes  it  inexcusable  for  any  CIO  to  fiddle 
while  the  software  burns. 

There  is,  after  all,  $60  billion  on  the  table. 
A  2002  study  by  the  National  Institute  of 
Standards  and  Technology  (NIST)  developed 
that  number  to  describe  buggy  software’s 
cost  to  the  national  economy.  Improved  soft¬ 
ware  testing  alone,  NIST  suggests,  could 
shave  $22  billion  off  that. 

Why  can’t  the  software  community  moti¬ 
vate  itself  to  grab  all  that  cash?  The  answer 
lies  in  software  culture. 

Vendors,  for  the  most  part,  value  time- 
to-market  over  security.  As  long  as  they  can 


get  away  with  shipping  buggy  code, 
they  will.  (See  “Sledgehammer,” 

Page  64.) 

Developers  live  by  deadlines, 
which  compel  them  to  work  fast.  At 
the  same  time,  they’re  being  asked 
to  provide  ever  more  features. 

And  CIOs,  as  a  group,  have  been 
passive,  assuming  there  was  little  they 
could  do  to  effect  change. 

They  assumed  wrong.  In  fact,  a 
growing  number  of  advocates  believe 
CIOs  should  be  leading  the  charge 
for  secure  software. 

“CIOs  must  take  action,”  says 
Linda  Northrop,  director  of  the 
product-line  systems  program  at  the 
Software  Engineering  Institute  (SEI) 
and  coauthor  of  Software  Product 
Lines:  Practices  and  Patterns.  “I 
think  CIOs  have  done  a  deplorable 
job  matching  their  software  decisions 
to  business  goals,  especially  in  its 
security  and  quality.  What  we  need 
from  the  CIO  ranks  are  leaders.” 

Northrop  could  be  talking  about 
A1  Schmidt,  vice  president  of  IT  and 
CIO  of  $939  million  Arch  Chemi¬ 
cals.  “What  I’ve  come  to  realize,” 
says  Schmidt,  “is  that  security  is 
really  about  operational  excellence. 

So  why  wouldn’t  I  jump  on  that? 

I  mean,  operational  excellence — 
that’s  what  I’m  supposed  to  be  doing,  right?” 

KNOW  YOUR  ENEMY 

The  vast  majority  of  vulnerabilities  in  soft¬ 
ware  arise  from  the  following  10  basic 
development  flaws. 

1.  Unvalidated  parameters:  Anyone  can 
change  a  URL  to  access  data.  For  example, 
switching  “admin=no”  to  “admin=yes” 
within  the  URL  gives  the  hacker  admin  priv¬ 
ileges. 

2.  Broken  access  control:  Software  doesn’t 
check  a  user’s  authorization  properly,  which 
means  that  credentials  are  cached  and  can 
be  co-opted  by  anyone. 

3.  Broken  account  and  session  management: 
Hackers  can  take  advantage  of  predictable 


validation  schemes  by,  for  example,  manu¬ 
facturing  or  altering  cookies. 

4.  Cross-site  scripting:  User  hits  a  poisoned 
webpage,  which  his  browser  accepts  uncriti¬ 
cally,  allowing  the  hacker  to  access  his  machine. 

5.  Buffer  overflows:  Miscreant  is  allowed  to 
input  so  much  data  that  memory  gets  junked 
up  and  starts  accepting  malicious  commands. 

6.  Command  injection  flaws:  User’s  Web 
application  executes  malicious  commands 
because  it  doesn’t  know  any  better. 

7.  Error-handling  problems:  Error  messages 
give  away  information — for  example,  “ODBC 
Error”  signals  that  a  SQL  injection  (such  as 
the  SQL  Slammer)  is  possible. 

8.  Insecure  use  of  cryptography:  Use  of 
homegrown,  weak  cryptography  is  easily 


62  CIO  MAY  15,  2003  •  www.clo.com 


HOW  1  IES 

A  LEADING 
OUTDOOR  OUTFITTER 


Al  Forsmo,  Sales  Engineer 

Janie  Scarborough,  Global  Account  Manager 

Qwest  Communications 


Cutting-edge  technology  is  vital  to  winning  new 
business,  but  it’s  only  half  of  the  package.  You  need 
great  people  and  great  service  to  make  it  all  come 
together.  That’s  what  we  believe  at  Qwest,  and  we 
prove  it  every  day  to  companies  like  Recreational 
.Equipment,  Inc.  When  they  said  “no  downtime,” 
Qwest  listened  and  delivered.  We  implemented  a 
complete  Dedicated  Internet  Access  solution  for 
REI,  beating  their  delivery  date  by  two  weeks.  With 
this  service  up  and  running,  REI’s  Internet  sales 
continue  to  see  double-digit  growth  year  over  year. 
Their  success  is  our  success.  It’s  a  relationship  that 
continues  to  this  day.  It’s  our  Spirit  of  Service” 
commitment.  And  it’s  what  sets  us  apart. 


REI "  WORKS  WITH  QWEST. 


[Qwest 


<2 


Spirit  of  Service " 


asm 


To  find  out  how  we  can  put  the  Spirit  of  Service  to  work  for  you, 

visit  us  at  qwest.com/bizspirit  or  call  us  at  1  800-506-0663 


Qwest  DIA  is  available  throughout  the  United  States.  Qwest  DIA  service  also  provides  high-speed  Internet  access  to  more  than  240  major  cities  in  19  European  countries.  However, 
customers  in  the  states  of  AZ,  CO,  IA,  ID,  MN,  MT,  ND,  NE,  NM,  OR,  SD,  UT,  WA  and  WY  (in  region)  will  have  their  Qwest  Internet  services  provided  in  conjunction  with  a  separate 
Global  Service  Provider  (GSP).  This  provider  will  supply  customers  with  connectivity  to  the  global  Internet.  When  Qwest  receives  regulatory  relief,  it  will  offer  this  service  without  the 
use  of  a  GSP.  ©2003  Qwest  Communications  International  Inc. 


Cover  Story  |  Application  Security 


compromised  by  professional  bad  guys. 

9.  Remote  administration  flaws:  Web  apps 
allow  remote  control  of  machines  on  a  known 
port  with  predictable  default  configurations, 
making  hacking  child’s  play. 

10.  Web  and  application  server  misconfigu- 
ration:  Unused  features  that  leave  ports  open 
make  servers  vulnerable. 

SEI  studied  2,500  software  products  and 
56,000  security  incidents,  and  found  the  vast 
majority  of  problems  are  caused  by  those 
defects.  Buffer  overflows  alone  account  for 
40  percent  to  60  percent  of  incidents,  says 
CEO  Steve  Cross.  What’s  more,  the  flaws  are, 
from  a  coding  perspective,  simple  to  fix. 

“The  thing  that  frustrates  me  is  people 
think  that  since  the  problem  is  so  prevalent, 
it  must  be  complex,”  says  Cross.  “It’s  not.  If 
the  public  understood  that  any  freshman 
computer  science  student  knows  how  to  fix 
these  problems,  there  would  be  an  outcry. 
And  there  should  be.” 

The  trick  with  code  defects  is  to  find 
them.  A  million-line  software  program, 
which  is  about  the  size  of  the  average 
CAD/CAM  package,  comprises  20,000 


pages  of  text.  Finding  errors — even  in  poorly 
written  programs  that  will  have  two  or  so 
errors  per  page — is  like  finding  needles  in  a 
binary  haystack.  And,  once  you  do  find  the 
vulnerabilities,  you  have  to  make  sure  the 
fix  doesn’t  break  anything  else. 

This  used  to  provide  a  reasonable  excuse 
for  letting  bad  software  practices  continue. 
But  a  new  class  of  application  scanning  soft¬ 
ware  is  emerging  that  makes  the  process  of 
finding  flaws  almost  trivial. 

HOW  TO  TAKE 
RESPONSIBILITY 
FOR  MORE  SECURE 
SOFTWARE 

Scan  Everything... 

Application  scanning  is  based  on  the  propo¬ 
sition  that  programming  errors  are  reason¬ 
ably  predictable  and  limited,  even  if  their 
consequences  are  not.  (See  “Application 
Scanning  Vendors  and  Products,”  Page  68, 
for  eight  top  scanning  tools  on  the  market.) 

Once  you  buy  (one  large  insurance  com¬ 
pany  recently  paid  $120,000)  and  then  train 


your  developers  and  IT  staff  to  use  the  appli¬ 
cation  (which  should  take  anywhere  from 
two  days  to  two  weeks),  plan  to  use  it  in 
two  ways. 

First,  make  app  scans  a  mandated  part  of 
all  application  audits.  Whether  it’s  internally 
developed  code  or  third-party  software,  cre¬ 
ate  a  checkpoint  at  which  an  application 
must  contain  fewer  than  a  certain  number  of 
bugs,  with  all  egregious  errors  eliminated. 

“We’ve  decided  to  push  back,”  says  Fer- 
derer’s  partner,  Tim  Burke,  IS  manager  at 
CUNA  Mutual.  “Any  new  software  we’re 
developing  or  having  developed  must  go 
through  an  error-free  scan  before  it’s 
deployed.”  Second,  integrate  the  application 
scanners  into  the  development  process  by 
training  your  developers  and  mandating  that 
outside  developers  scan  their  work  at  pre¬ 
dictable  intervals.  (This  was  made  easier  for 
.Net  developers  last  February  when 
Microsoft  integrated  the  application  scan¬ 
ner  from  Sanctum  into  Visual  Studio  .Net.) 

Expect  developers  to  freak  out  about 
that.  “The  first  time  we  had  one  of  our 
developers  run  the  scan  on  some  sample 
code  he  wrote,  his  eyes  bugged  out,”  says 
Erick  Weber,  vice  president  of  enterprise 
information  security  at  IndyMac  Bank, 
which  holds  $9.6  billion  in  assets  and  last 
year  earned  $600  million.  “He  thought  he 
wrote  pretty  good  code,  but  he  had  created 
significant  security  holes. 

“But  it  made  him  want  to  learn  how  to 
integrate  the  scanning  into  his  development. 
That’s  what  we  want.  The  last  thing  we  want 
is  to  have  developers  continue  coding  the  same 
way,  run  scans  on  their  work,  and  then  throw 
the  code  back  at  them  and  say,  Hey,  fix  this.” 

...But  Know  Scanning’s  Limitations 

It  would  be  folly  to  deploy  app  scanning  and 
think  the  security  problem  is  therefore 
licked.  Know  the  limitations  of  these  tools. 

First,  they  don’t  know  what  they  don’t 
know.  That  is,  they  scan  for  known  vulner¬ 
abilities,  the  most  common  ones.  The  tools 
will  have  to  evolve  as  vulnerabilities  evolve. 

Second,  the  tools  don’t  know  whether  a 
flaw  is  dire  or  benign. 


Sledgehammer 

CIOs  now  have  the  power  to  demand— and  get— secure  software 

The  good  news  is  that  the  economy,  the  maturity  of  platforms,  the  commodifi¬ 
cation  of  software  and  the  emergence  of  metrics  (through  tools  such  as  appli¬ 
cation  scanners  and  large-scale  studies  such  as  the  landmark  2002  National 
Institute  of  Standards  and  Technology  study)  have  combined  to  give  CIOs  unprece¬ 
dented  power  over  their  software  vendors. 

“All  a  CIO  has  to  say  is,  We  won’t  accept  this  level  of  quality,  and  the  vendors  have  to 
respond,”  says  Laurie  Orlov,  an  analyst  with  Forrester  Research.  “Many  CIOs  are  saying, 
We’ll  buy  one  copy  of  your  software  and  run  some  security  scans  on  it  before  we  invest.” 

A  divisional  IS  officer  at  one  of  the  nation’s  largest  banks  says  his  institution  has 
set  up  a  vendor  evaluation  process  for  security.  “Vendors  either  go  broke  trying  to 
satisfy  our  stringent  criteria,  or,  sometimes,  they  just  turn  and  run  away.  The  beauty 
is  we  give  them  motivation.  Once  their  product  is  certified,  they  get  put  on  a  list  so  the 
next  time  around  we  know  they’ve  satisfied  our  criteria  in  the  past.” 

The  bottom  line,  this  CISO  says,  is  that  “nothing  goes  live  without  security  built  in  first. 
“It's  a  sledgehammer  now.  Two  years  ago,  we’d  ask  them  to  improve  the  security 
and  they’d  fight  us  tooth  and  nail,  and  charge  us  for  it. 

"Now,  there’s  very  little  argument.  They  just  fix  it  when  we  tell  them  to.”  -S.B. 


64  CIO  MAY  15,  2003  •  www .cio .com 


PHOTO  BY  JOHN  SOARES 


'  ■  £  *.v- 


Arch  Chemicals  CIO  Al  Schmidt,  a  former 
developer,  says,  “As  CIO,  you  need  to  be 
pretty  intolerant  of  development  that  doesn’t 
address”  built-in  software  vulnerabilities. 


Third,  some  of  these  scanning  apps  just 
tell  you  where  the  holes  in  the  roof  are,  some 
others  put  buckets  under  the  holes,  and  still 
others  even  suggest  how  to  patch  the  roof. 
But  none  of  them  actually  fix  anything. 

“My  concern  is  people  buy  them  and  think 
that  alone  fixes  the  problem,”  says  Bill 
Guttman,  director  of  the  Sustainable  Comput¬ 
ing  Consortium — a  collaborative  designed  to 
protea  the  nation’s  computing  infrastructure 
and  improve  the  reliability  of  its  IT  systems. 
“It  happened  with  antivirus  [software].  Fire¬ 
walls.  People  develop  a  false  sense  of  security.” 

The  next  generation  of  application  scan¬ 
ners  should  address  some  of  those  issues. 
Plan  for  an  ongoing  investment  in  applica¬ 
tion  scanning.  A  divisional  IS  officer  at  one 
of  the  nation’s  largest  banks  (who  asked  not 
to  be  named)  says  his  company  will  spend 
$30,000  to  $40,000  per  quarter  scanning 


and  auditing  a  major  application. 

IndyMac’s  Weber  has  no  trouble  justify¬ 
ing  the  cost.  As  an  ancillary  benefit,  he  uses 
the  tools  to  convince  both  developers  and 
his  executive  peers  of  the  value  of  security. 
ITe  says  security  is  like  pollution;  no  one 
cares  until  they  can  see  it.  “I  can  rattle  off 
really  great  reasons  we  need  application 
security  to  users  and  management,”  says 
Weber.  “But  they  never  really  understand 
until  they  see,  you  know,  eight  buffer  over¬ 
flows,  right  there  on  their  screen.” 

Pull  Rank  on  the  Development  Team 

Application  scanning  is  a  useful  tool,  but  it’s 
also  fixing  a  problem  10,000  times  rather 
than  solving  it  once.  If  the  10  basic  software 
flaws  are  so  easy  to  avoid,  why  don’t  devel¬ 
opers  do  so? 

The  answer  is  that  developers  have  two 


masters:  features  and  deadlines.  Until 
recently,  security  was  not  a  feature.  And 
dealing  with  it  usually  threatened  a  dead¬ 
line.  (There’s  an  adage  among  developers: 
Speed  to  market,  number  of  features,  level  of 
quality.  Pick  two.) 

“It’s  why  we  published  the  10  vulnera¬ 
bilities,”  says  Mark  Curphey,  chairman  of 
the  Open  Web  Application  Security  Project 
(OWASP),  an  open-source  projea  that  devel¬ 
ops  Web  application  and  Web  services  tools. 
“Developers  understand  the  vulnerabilities 
technically,  but  they  don’t  change  how  they 
code  because  of  them.  But  when  CIOs  get 
the  list,  right  away  they  understand.” 

Bring  the  list  to  a  meeting  with  the  person 
in  charge  of  application  development.  Each  of 
the  10  vulnerabilities  can  be  assigned  to  either 
the  development  group  or  the  IT-operations 
group,  or  in  a  few  cases,  both. 


www.cio.com  •  MAY  15,  2003  CIO  65 


Cover  Story  |  Application  Security 


“As  CIO,  you  need  to  be  pretty  intolerant 
of  development  that  doesn’t  address  these 
basic  issues,”  says  Schmidt,  the  Arch  Chem¬ 
icals  CIO  who,  as  a  former  developer,  has 
come  to  appreciate  the  need  for  a  sit-down 
between  the  CIO  and  the  head  of  develop¬ 
ers.  “Absolutely  get  talking.  And  bring  some 
of  the  numbers  on  how  much  you  save  by 
catching  bugs  early.  That  data  is  out  there.” 
(See  “Bug  Economics,”  Page  62.) 


of  some  wrenching  cultural  change  in  a  guild 
whose  practices  are  30  years  entrenched. 

“There’s  a  fair  bit  of  marketing  involved 
because,  no  question,  it’s  a  politically  tricky 
situation,”  says  the  aforementioned  unnamed 
divisional  IS  officer  of  a  large  bank.  “No  mat¬ 
ter  how  you  approach  development,  they’ll 
resist.  They’ll  say  you’re  threatening  their 
timetables.  If  you’re  a  jerk  about  it,  you  end  up 
losing  and  things  don’t  get  secured.” 


Use  Freely  Available 
Security  Standards 

Start  with  NSTISSP  No.  11,  the  national 
security  standard  that  mandates  that  any 
software  used  in  a  national  security  setting 
must  pass  certain  government  audits.  Learn 
the  criteria,  and  then  demand  that  your 
developers  and  vendors  meet  them.  (Go  to 
www.cio.com/bugs  for  the  NSTISSP  No.  1 1 
standard.) 


The  Golden  Gate  Bridge— About 
minor  and  major  flaws. 


feet  would  contain  both 


Moby  Dick— There  would  be  typos  found  in  the  novel's 

words;  some  would  make  it  difficult  to  read  the  book. 


If  Everything  Were  Built  Like  This 


On  average,  software  contains 
10  to  20  bugs  per  1,000  lines  of 
code.  That  means  a  1  million¬ 
line  program  might  contain 
20,000  bugs— some  of  which 
are  critical  and  some  which 


might  never  get  noticed.  Using 
the  average  of  15  flaws  per 
1,000  lines  of  code,  here’s  how 
that  error  rate  would  translate 
to  the  real  world. 


Automobiles— 615,000  of  the  41  million  cars  produced  in  2000  would 
be  misassembled;  some  of  these  glitches  could  shut  down  the  assembly  line. 


Tax  Returns— 603,682  of  the  40,245,455  e-filed  tax  returns  in  2001 

wouldn’t  have  been  processed.  No  refunds  for  you.  -S.6. 


SOURCES:  GOLDENGATEBRIDGE.ORG,  HERPETOLOGY.COM,  LASVEGASHOTELSANDGUIDE.COM,  IRS.GOV  AND  SIERRACLUB.ORG 


Give  QA  Some  TLC 

The  development  culture  that  rewards  fea¬ 
tures  delivered  quickly  also  scorns  quality 
assurance  (QA).  Here’s  how  several  devel¬ 
opers  view  the  code  testing  piece  of  QA: 

►  “Thankless.” 

►  “Entry-level  button  pushing.” 

►  “You  know  your  career  is  advancing  when 
you  don’t  have  to  do  testing  anymore.” 

It’s  imperative  for  the  CIO  and  the  head 
of  developers  to  reward  developers  who 
don’t  feel  that  way. 

At  CUNA  Mutual,  Ferderer  has  recruited 
top  developers  and  trained  them  to  write  secure 
code.  He  created  a  mentor  program  in  which 
developers  bring  their  code  to  their  quality 
mentors  and  together  they  work  on  securing 
it.  Ferderer  says  it’s  early,  but  there’s  anecdotal 
evidence  that  code  quality  is  improving. 

Make  no  mistake,  forcing  developers  to 
get  involved  with  QA  puts  you  at  the  fulcrum 


“There  is  a  delicacy  to  confronting  devel¬ 
opment,”  agrees  IndyMac  Bank’s  Weber. 
“The  application  scanning  tools  add  some 
objectivity.  The  CIO  should  also  set  devel¬ 
opment  requirements  and  get  management 
buy-in  first.  That  adds  more  objectivity.  If 
you  clearly  define  the  security  parameters, 
development  can’t  make  it  a  personal  argu¬ 
ment  or  a  grudge  match.” 

It’s  easy  to  see  how  it  could  devolve  into  pol¬ 
itics  and  sniping  when  Weber  explains  what 
he’s  really  doing.  “My  job,”  says  Weber,  “is  to 
impose  a  security  will  on  the  developers.” 

cio.com  To  read  the  CONTRACT 

between  GE  and  General  Magic,  a  complete 
DESCRIPTION  of  the  10  basic  vulnerabili¬ 
ties,  as  well  as  the  full  NIST  study  on  the 
COST  of  inadequate  software  testing,  go  to 
www.cio.com/bugs. 


The  government  has  many  other  security 
standards.  (Go  to  www.cio.com/bugs  for  a 
list.)  None  is  a  defining  standard  but  virtu¬ 
ally  every  one  of  them  contains  something 
useful.  Special  Publication  800-27,  a  NIST 
document,  for  example,  contains  33  applica¬ 
tion  security  principles.  (One  of  them:  Imple¬ 
ment  least-user  privilege,  which  means  start 
with  all  access  turned  off  and  turn  it  on  only 
as  needed,  not  vice  versa.) 

It’s  important  to  note  that  most  of  the 
standards  are  foundational.  That  is,  they’re 
most  useful  for  software  at  the  design  and 
requirements  phase,  and  less  useful  for  appli¬ 
cations  that  have  already  been  developed 
and  deployed. 

Put  Security  in  Writing 

Ferderer  now  requires  that  his  vendors  do 
application  scanning  on  every  software 
package  Mutual  deploys. 


66  CIO  MAY  15,  2003  •  www. cio.com 


PHOTOS  BY  GETTY  ONE 


CIO  who  discovers  that  his 
expensive  new  integration 
system  needs  yet  another 
integration  system. 


Data  has  a  funny  habit  of  getting  itself  trapped  inside  functional  silos.  But  you  need  the  right  technology  if  you  want  to  get  it  out.  Our  exteNd™  family  of 
web  service  solutions  lets  you  liberate  information  and  get  it  to  everyone  who  needs  it.  That  means  Marketing  can  learn  things  from  Operations.  And  Sales  can 
share  what  it  knows  with  R&D.  Even  when  the  systems  and  applications  aren't  naturally  compatible.  And  the  more  sharing  that  goes  on,  the  more  productive  and 
profitable  you  are.  To  find  out  how  our  team  of  experienced  consultants  and  partners  can  help  improve  the  flow  of  information  at  your  company,  call  us 
at  1-800-214-3500  or  visit  http://www.novell.com/extend.  @  w  E  speak  your  language. 


©2003  Novell,  Inc.  All  rights  reserved.  Novell  is  a  registered  trademark  and  exteNd  is  a  trademark  of  Novell,  Inc.,  in  the  United  States  and  other  countries. 


Novell. 


Cover  Story  |  Application  Security 


“My  job,”  says  IndyMac  Bank  VP  of  Security  Erick  Weber,  “is  to  impose  a  security 
will  on  the  developers.” 


“The  trend  to  put  security  right  in  con¬ 
tracts  has  become  quite  successful,”  says 
OWASP’s  Curphey.  “It’s  more  common  and 
more  accepted  than  ever,  in  part  because 
there  are  the  tools  which,  to  a  degree,  lend 
objectivity  to  the  security  of  an  application.” 

A  contract  signed  between  General  Elec¬ 
tric  and  the  software  vendor  General  Magic 
last  year  excited  security  experts.  (Go  to 
www.cio.com/bugs  to  see  the  full  contract.) 
Section  7.3  is  called  Code  Integrity  War¬ 
ranty,  and  it  holds  the  vendor  financially 
accountable  for  bad  software  and  requires 
the  vendor  to  fix  it. 

Tick  Off  These  To-Dos  Too 

After  buying  the  software,  reeducating  your 
developers,  poring  over  standards  and  hang¬ 
ing  out  with  contract  attorneys,  you  can  (if 
you  have  the  energy): 

►  Check  out  OWASP.  Weber  at  IndyMac 
Bank  lifts  heavily  from  the  OWASP  guide¬ 
lines  for  secure  Web  application  development. 

►  Read  Winning  with  Software ,  by  Watts 
Humphrey,  and  have  the  developers  read 
Writing  Secure  Code,  by  Michael  Howard 
and  David  LeBlanc. 

►  Send  your  developers  to  school.  College- 
level  computer  science  classes  in  writing  secure 
code  are  starting  to  appear.  At  SEI,  fellow 
Humphrey  (called  “the  Edwards  Deming  of 
software”)  has  developed  an  entire  develop¬ 
ment  methodology  for  secure  coding  called 
the  Team  Software  Process  (TSP).  Microsoft 
recently  put  a  small  group  of  coders  through 
TSP’s  intense  two-week  training.  The  group 


was  then  charged  with  rewriting  a  24,000- 
line  application  under  the  TSP  process.  The 
goal  was  to  reduce  the  number  of  defects  in 
the  program  from  350  to  about  22.  Microsoft 
says  a  post-production  defect  costs  it  $4,200. 
If  the  company  meets  its  goal,  the  total  cost  of 
post-production  defects  in  this  small  applica¬ 
tion  (it’s  an  internal  one)  would  shrink  from 
$1,470,000  to  $92,400. 

Don’t  Give  Up,  Don’t  Ever  Give  Up 

Asked  if  he  was  more  opti¬ 
mistic  now  about  security 
than  he  was  four  years  ago, 
when  Melissa  first  hit,  Rich 
Pethia  says  flatly,  “No.” 

That’s  an  unsurprising 
response  from  the  director 
of  the  CERT  Coordination 
Center,  charged  with  dis¬ 
seminating  early  notice 
of  serious  vulnerabilities. 
CERT  has  logged  over 
182,000  security  incidents 
in  14  years,  82,084  in  2002. 


From  1995  to  2002,  CERT  mapped  9,162 
vulnerabilities,  nearly  half  of  them  last  year. 

So  you’d  expect  Pethia,  who  has  briefed 
President  George  W.  Bush  on  such  matters, 
to  be  gloomy.  Still,  Pethia  thought  for  a 
minute  and  then  revised  his  stance. 

“Actually,  I  am  a  little  more  optimistic,” 
he  says.  “There’s  far  more  awareness.  The 
economy  is  terrible,  so  people  can’t  afford 
insecure  applications.  After  9/11,  there’s  a 
national  sense  of  what  these  vulnerabilities 
mean.  We’re  starting  to  put  numbers  on  the 
problem  and  use  risk  assessment  tools.  That 
means  insurance  will  soon  get  in  the  game, 
which  is  always  a  big  step  for  security.” 

Combine  these  factors,  Pethia  says,  and 
there’s  a  breath  of  hope.  In  fact,  he’s  con¬ 
vinced  that  one  more  ingredient  will  vali¬ 
date  his  optimism:  proactive  CIOs  who 
demand  better  software. 

So  what  exactly  are  you  waiting  for?  tara 


If  you  have  suggestions  for  improving  software 
quality,  you  can  share  them  with  Senior  Editor  Scott 
Berinato  at  sberinato@cio.com. 


Application  Scanning  Vendors  and  Products 

Vendor 

Product 

Website 

Application  Security 

AppDetective 

www.appsecinc.com 

Cenzic 

Hailstorm 

www.cenzic.com 

Foundstone 

FoundScan 

www.foundstone.com 

Kavado 

ScanDo 

www.kavado.com 

NetlQ 

VigilEnt  Security  Agents 

www.netiq.com 

Sanctum 

AppScan 

www.sanctuminc.com 

SPI  Dynamics 

Weblnspect 

www.spidynamics.com 

WatchFire 

SecurityXM 

(available  Nov.  2003) 

www.watchfire.com 

SOURCES:  IDC,  SANCTUM, CIO  RESEARCH 

68  CIO  MAY  15,  2003  •  www.cio.com 


PHOTO  BY  DAVE  LAURIDSEN 


storage  software 


company. 


VERITAS  Software  lowers  your  storage  costs  regardless  of 
hardware,  EMC.  Hitachi.  HP.  IBM.  Sun.  What’s  your  agenda? 


You  may  think  the 

Sarbanes-Oxley  legislation 

has  nothing  to  do  with  you. 


BY  BEN  WORTHEN 


Playing  by  New  Rules 


Sarbanes-Oxley 


Don’t  bother  speaking  to  the  CIO 

or  anyone  on  the  IT  staff  if  you  want  to  find  out  how  Sola  International  isusinginfor- 
mation  technology  to  meet  the  new  reporting  requirements  mandated  by  the 
Sarbanes-Oxley  Act.  The  guy  to  talk  to— Patrick  Kiernan,  a  senior  financial  systems 
analyst  at  the  publicly  traded,  $550  million  corrective  and  sunglass  lens  design, 
manufacture  and  distribution  company— reports  to  the  corporate  controller. 
Kiernan  is  in  charge  of  replacing  the  company’s  manual  spreadsheets  with  an  auto¬ 
mated  reporting  system  and  planning  other  projects  that  will  further  consolidate 
financial  information.  He  acknowledges  that  IT  can  play  a  small  supporting  role 
(“Without  IT’s  assistance,  I  couldn’t  have  had  the  WAN  or  the  servers”),  but  he 
doesn’t  see  why  the  CIO  should  be  directly  involved  with  Sarbanes-Oxley.  “I  doubt  if 
the  CIO  would  even  be  interested,”  Kiernan  says. 

That  perspective  bodes  trouble  for  the 
CIO’s  long-term  role  as  the  keeper  of  cor¬ 
porate  data,  but  more  immediately  for 
companies’  ability  to  comply  with  the  new 
government  mandates  on  how  they  record, 
track  and  disclose  financial  information. 

And  yet  it’s  an  alarmingly  pervasive  point 
of  view.  In  an  informal  survey  by  CIO  of 
the  top  19  companies  on  the  Fortune  100 
list,  most  executives  viewed  compliance 
with  Sarbanes-Oxley  as  a  finance  issue, 
not  a  systems  issue.  A  few  acknowledged  a 
potential  role  for  IT  but  insisted  it  was  pre¬ 
mature  for  the  CIO  to  be  involved. 

They  are  dangerously  mistaken.  While 
Sarbanes-Oxley  is  financial  legislation,  at 
its  heart  it  is  about  ensuring  that  internal 
controls  or  rules  are  in  place  to  govern  the 
creation  and  documentation  of  informa¬ 
tion  in  financial  statements.  Since  IT  sys¬ 
tems  are  used  to  generate,  change,  house 
and  transport  that  data,  CIOs  have  to 
build  the  controls  that  ensure  the  infor- 


Editor’s  Note:  This  story  on  the  IT 
ramifications  of  the  Sarbanes-Oxley  Act 
is  the  second  in  a  CIO  series  on  federal 
legislation  that  is  having  a  profound 
effect  on  how  your  company  manages 
data,  ensures  security  and  protects  pri¬ 
vacy.  Find  the  first  story  in  the  series, 
“What  to  Do  When  Uncle  Sam  Wants  Your 
Data,”  at  www.cio.com/newrules. 

Reader  ROI 

►  Why  CIOs  must  work  closely 
with  finance  in  meeting  the  new 
government  mandates 

►  Why  it’s  all  about  ensuring  the 
integrity  of  your  corporate  data 

►  What  you  have  to  do  to  restructure 
your  IT  systems  for  compliance 


mation  stands  up  to  audit  scrutiny. 

And  the  CEO  and  CFO  aren’t  the  only 
ones  who  are  now  personally  accountable 
for  the  validity  of  that  information.  CIOs 
may  also  be  held  liable  for  invalid  data,  as 
the  unfolding  case  against  HealthSouth 
illustrates.  (HealthSouth  fired  CIO  Kenneth 
Livesay  last  month  after  he  pleaded  guilty  to 
federal  charges  of  falsifying  financial  infor¬ 
mation  and  conspiracy  to  commit  wire  and 
securities  fraud.) 

Imagine,  if  you  will,  that  Sarbanes- 
Oxley  is  a  water  purity  test.  What  ulti¬ 
mately  matters  is  the  quality  of  the  water 
coming  out  of  the  faucet.  But  no  responsi¬ 
ble  organization  would  let  its  water  be 
tested  before  thoroughly  examining  and 
repairing  its  plumbing,  especially  when  fail¬ 
ure  means  multimillion-dollar  fines,  a 
ruined  reputation  and  possibly  jail  time  for 
top  executives.  Yet  that  is  what  many 
companies  are  doing  in  the  race  to  comply 
with  Sarbanes-Oxley. 


www.cio.com  •  MAY  15,  2003  CIO  71 


I 


Playing  by  New  Rules  |  Sarbanes-Oxley 

The  companies  that  don’t  recognize  the 
large  role  IT  must  play  “will  find  out  later 
on  that  they’re  wrong,”  says  Tom  Patterson, 
a  senior  manager  in  BearingPoint’s  informa¬ 
tion  risk  management  practice.  Companies 
that  don’t  involve  the  CIO,  he  says,  are  sim¬ 
ply  missing  the  point  of  the  legislation. 

Joe  Eckroth,  CIO  of  toy  maker  Mattel, 
agrees.  “With  the  current  environment,  there 


Com  and  now  HealthSouth  scandals,  and  a 
wave  of  restated  financials  that  further 
demonstrated  the  lack  of  oversight  within 
corporate  America. 

The  act,  which  is  technically  called  the 
Public  Company  Accounting  Reform  and 
Investor  Protection  Act  of  2002,  was  spon¬ 
sored  by  Sen.  Paul  Sarbanes  (D-Md.),  then 
chairman  of  the  Committee  on  Banking, 


Putting  the  systems  in  place  to  “ensure  compliance  with  Sarbanes-Oxley  will  boost 
investor  confidence  in  the  company,”  says  Mattel  CIO  Joe  Eckroth. 


can  be  nothing  more  important  than  getting 
the  systems  put  in  place  to  ensure  compliance 
with  Sarbanes-Oxley  and  boost  investor  con¬ 
fidence  in  the  company,”  he  says. 

While  Eckroth  is  a  key  member  of  the 
management  committee  at  Mattel  assigned 
to  that  task,  many  CIOs  remain  shut  ouf 
of  the  preparations.  Here’s  what  you  need 
to  know  to  be  part  of  your  company’s 
Sarbanes-Oxley  marathon. 

THE CASE  FOR 
DISCLOSURE 

It’s  easy  to  understand  why  finance  feels  it 
must  take  charge  of  meeting  the  Sarbanes- 
Oxley  Act’s  reporting  requirements.  The 
legislation  was,  after  all,  born  of  public  out¬ 
rage  over  fraudulent  accounting  practices, 
such  as  those  involved  in  the  Enron,  World- 

72  CIO  MAY  15,  2003  •  www.cio.com 


Housing  and  Urban  Affairs  in  the  Senate,  and 
Rep.  Michael  Oxley  (R-Ohio),  the  Financial 
Services  Committee  chair  in  the  House.  It 
passed  the  Senate  unanimously,  won  easy 
approval  in  the  House,  and  President  Bush 
signed  it  into  law  on  July  30,  2002. 

At  the  time,  Sarbanes  said  that  dramatic 
differences  in  the  way  businesses  are  run 
today  had  made  obsolete  the  reporting 
framework  the  Securities  and  Exchange 
Commission  required  for  the  past  70  years. 
As  recently  as  1970,  the  average  daily  vol¬ 
ume  of  shares  traded  in  the  New  York  Stock 
Exchange  was  12  million.  By  2000,  it  was 
more  than  a  billion.  Whereas  markets  were 
once  dominated  by  trusting  long-term 
investors  willing  to  wait  for  financial  infor¬ 
mation  in  quarterly  and  annual  reports, 
today’s  markets  move  in  real-time,  and 


twice-shy  investors  no  longer  believe  that 
executives  have  their  best  interests  in  mind. 
Sarbanes-Oxley  addresses  this  by  speeding 
up  the  filing  date  for  quarterly  and  annual 
reports  and  calling  for  real-time  disclosure  of 
material  events  (see  “Real-Time  Disclosure,” 
Page  74).  The  amount  and  speed  of  infor¬ 
mation  available  to  the  public,  as  mandated 
by  the  legislation,  was  designed  to  renew 
investors’  trust  in  corporate  executives  and 
their  financial  reports. 

It  also  requires  that  companies  institute 
procedures  for  keeping  track  of  all  financial 
information  from  the  moment  of  inception 
to  the  final  submission  in  an  annual  report 
to  the  SEC. 

GUARDING 
AGAINST  FRAUD 

In  geek  speak,  a  404  is  someone  who  is  clue¬ 
less,  as  in  “Don’t  ask  him;  he’s  a  404.”  The 
origin  is  the  HTML  error  message  404, 
meaning  file  not  found.  The  meaning  of  404 
is  about  to  change,  and  this  time  you’d  bet¬ 
ter  be  able  to  find  the  file. 

Section  404  of  the  Sarbanes-Oxley  Act  is 
barely  100  words  long.  While  that  doesn’t 
sound  like  much,  some  companies  will  end 
up  spending  more  than  $3,000  a  word  to 
comply  with  it.  The  section  says  simply  that 
annual  reports  must  contain  a  statement 
signed  by  the  CEO  and  CFO  attesting  that 
the  information  contained  in  any  SEC  filing 
is  accurate.  The  company  must  also  submit 
to  an  audit  to  prove  it  has  controls  in  place 
to  assure  the  information  is  accurate.  (The 
stakes  are  certainly  high  enough;  the  penal¬ 
ties  for  a  false  attestation  include  jail  time.) 

The  problem  is  that  the  act  doesn’t  offer 
much  guidance  beyond  that  broad  require¬ 
ment,  and  neither,  quite  frankly,  does  the 
SEC’s  proposed  ruling  on  the  section.  (The 
final  rule  was  not  issued  by  press  time.)  But 
while  the  SEC  never  says  what  internal  con¬ 
trols  are  required,  it  does  offer  one  very 
good  hint.  The  proposed  SEC  rule  on  Sec¬ 
tion  404  spends  a  good  deal  of  space  dis¬ 
cussing  the  definition  of  internal  controls 
offered  by  COSO,  an  independent  group 
sponsored  by  five  major  accounting  organ- 


PHOTO  BY  MARK  ROBERT  HALPER 


Common  Swear  Words  |  Innovative.  Reliable.  Dependable. 

The  Fujitsu®  LifeBook®  S6000  notebook,  with  Intel®  Centrino™  mobile  technology,  gives  you  all  the  power  and 
unwired  access  you  need  to  work  on  anything,  anywhere.  Its  super  thin  and  ultra  light  design  lets  it  easily  fit  into 
your  always-on-the-go  lifestyle.  But  what  really  sets  it  apart  is  how  we  build  it.  While  other 
notebooks  may  use  contract  manufacturers,  the  LifeBook  S6000  notebook  is  designed,  built 
and  tested  for  mobile  users  by  Fujitsu.  With  a  legendary  focus  on  quality  service  and  reliability. 
Which  means  you’ll  only  swear  by  it,  never  at  it. To  learn  why  the  LifeBook  S6000  notebook 
should  be  your  new  system,  visit  www.fujitsupc.com/swear  or  call  1.877.372.3473. 

Fujitsu  recommends  Microsoft®  Windows®  XP  Professional  for  Mobile  Computing. 


FUJITSU 

THE  POSSIBILITIES  ARE  INFINITE 


©2003  Fujitsu  PC  Corporation.  All  rights  reserved.  Fujitsu,  the  Fujitsu  logo  and  LifeBook  are  registered  trademarks  of  Fujitsu  Limited.  Intel,  Intel  Centrino,  Intel  Inside,  the  Intel  Centrino  logo  and  the  Intel  Inside  logo  are  trademarks  or 

registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Microsoft  and  Windows  are  registered  trademarks  of  Microsoft  Corporation. 


Playing  by  New  Rules  |  Sarbanes-Oxley 


izations,  including  the  American  Institute 
of  Certified  Public  Accountants  and  the 
Institute  of  Internal  Auditors.  COSO  issued 
a  report  in  1992  examining  corporate 
fraud  and  what  procedures  could  be  put  in 
place  to  combat  it.  It  recommended  that 
companies  adopt  a  framework  whereby  all 
transactions  are  properly  authorized,  there 
are  safeguards  against  improper  use,  and 
all  transactions  are  recorded  and  reported. 

What  that  means  is  that  every  division 
in  a  company  needs  to  have  a  documented 
set  of  internal  rules  that  control  how  data  is 
generated,  manipulated,  recorded  and 
reported,  says  John  Flaherty,  the  current 
COSO  chairman  and  former  vice  president 
and  general  auditor  for  PepsiCo. 

In  this  context,  CIOs  aren’t  at  risk  for 
Enron-like  fraud  as  much  as  what  Flaherty 
calls  “honest  mistakes — systems  that  mal¬ 
function,  miscompute  or  somehow  give  the 
wrong  answer.”  The  bottom  line  is  that  if 
you  “develop  a  system  that  doesn’t  work, 
that’s  a  control  problem,”  he  adds. 

While  the  glory  may  come  from  fixing 
the  systems  that  support  the  company  as  a 
whole,  Fran  Dramis,  chief  information, 
e-commerce  and  security  officer  at  Bell¬ 


South,  says  that  the  first  thing  a  CIO  needs 
to  do  is  make  sure  that  the  IT  department 
has  a  strong  governance  framework  inter¬ 
nally.  “[CIOs]  should  view  their  function  as 
if  [IT]  were  a  separate  company  and  they 
were  the  CEO  of  it,”  he  says  from  his  office 
in  the  telecom  giant’s  Atlanta  headquarters. 
“Think  about  having  to  sign  that  letter.”  No 
one  would  put  his  neck  on  the  line  unless 
he  knew  that  his  company’s  own  systems 
had  a  built-in  audit  trail  and  proper  author¬ 
ization  procedures,  and  that  that  could  all  be 
proved  with  documentation. 

And  then  the  IT  executive  needs  to  make 
sure  that  the  systems  generating,  supporting 
and  housing  companywide  data  have  the 
same  internal  control  procedures  in  place. 
With  that  in  mind,  Dupont,  one  of  the  15 
percent  to  20  percent  of  public  companies 
that  have  adopted  the  COSO  framework, 
recently  gave  1,400  IT  employees  a  half-day 
crash  course  in  internal  controls,  says  Finda 
Johnson,  global  financial  manager  for  IT  at 
the  chemical  company.  The  training  empha¬ 
sized  key  internal  control  concepts,  for 
example,  the  need  to  assign  different 
employees  to  code  the  program  changes,  test 
them  and  then  move  them  into  production. 


Real-Time  Disclosure 

The  new  rules  for  disclosing  significant  events  to  investors  will  require 
a  flow  of  information  unlike  anything  corporations  have  done  before 


One  section  of  the  Sarbanes-Oxley  Act 
that  has  broad  technology  implications  is 
Section  409,  which  calls  for  real-time  dis¬ 
closure  of  “material  changes."  Like  most  of 
the  act,  Section  409  is  vaguely  worded  and 
never  actually  defines  material  changes, 
but  most  experts  think  it  could  be  anything 
from  a  stock  sale  by  a  corporate  officer  to 
the  loss  of  a  large  account— basically  any¬ 
thing  that  could  impact  a  company’s  per¬ 
ceived  market  value.  Section  409  can 
clearly  be  traced  to  the  Enron,  WorldCom, 
Adelphia  and  Imclone  scandals,  where  the 
well-connected  cashed  out  shortly  before 


companies  collapsed.  Under  current  finan¬ 
cial  law,  companies  don’t  need  to  disclose 
material  changes  until  they  file  their  quar¬ 
terly  reports.  The  current  Securities  and 
Exchange  Commission  interpretation 
forces  companies  to  make  that  informa¬ 
tion  public  within  four  days. 

The  new  rules  will  require  a  flow  of  infor¬ 
mation  unlike  anything  corporations  have 
done  before.  Few  corporate  systems  are 
currently  designed  to  tag  certain  informa¬ 
tion  high  priority  and  then  automatically 
route  it  to  the  appropriate  executives.  Ana¬ 
lyst  companies  such  as  AMR  Research 


think  Section  409  could  require  major 
infrastructure  overhauls.  Since  most  com¬ 
panies  aren’t  yet  willing  to  do  that  (in  the 
absence  of  more  concrete  guidance  from 
the  SEC),  compliance  with  Section  409  is 
currently  limited  to  training  employees  to 
identify  material  events  and  notify  the 
proper  people  within  a  company  or  enter 
the  event  into  a  special  material  event 
tracking  database.  As  of  press  time,  it 
remained  unclear  if  this  will  be  enough  or 
whether  companies  will  need  to  do  the 
rearchitecting  AMR  and  others  predict. 
Stay  tuned  for  more.  -B.W. 


74  CIO  MAY  15,  2003  •  www.cio.com 


PHOTO  BY  KEN  HAWKINS 


A  different  person  performing  each  task  helps 
prevent  errors  or  fraud,  Johnson  has  found. 

This  is  a  far  cry  from  business  as  usual  for 
most  IT  departments,  where  the  priority  has 
traditionally  been  getting  a  project  done  on 
time  as  opposed  to  documenting  the  controls 
process.  Mattel’s  Eckroth  is  currently  finish¬ 
ing  an  Oracle  financials  implementation  and 
says  that  the  world’s  largest  toy  maker  is,  for 
the  first  time,  approaching  this  project  with 
an  eye  toward  Sarbanes-Oxley  compliance. 
“We  have  to  make  sure  that  we  haven’t 


process  and  prone  to  human  error.  It  doesn’t 
matter  how  many  usage  rules  a  system  has 
or  how  complete  the  documentation  is.  If 
data  ends  in  a  spreadsheet  or  any  other 
process  where  a  person  works  with  it,  says 
Guldentops,  “the  control  over  the  informa¬ 
tion  flow  doesn’t  exist  anymore.” 

Numbers  bear  this  out.  A  2003  survey  by 
the  Hackett  Group  concluded  that  47  per¬ 
cent  of  the  companies  used  standalone 
spreadsheets  for  planning  and  budgeting. 
One  possible  explanation  for  the  uncon- 


infrastructure  that  facilitates  the  use  and  inte¬ 
gration  of  data  from  different  systems. 

Bud  Mathaisel,  CIO  of  contract  manufac¬ 
turer  Solectron,  suggests  some  specific  places 
where  data  integrity  may  slip  through  the 
cracks.  “Look  for  things  where  there  has  been 
customization  made  to  the  general  ledger  and 
financial  systems,”  he  says.  Those  areas  typi¬ 
cally  won’t  have  the  audit  trail  functionality 
now  required.  Mathaisel  suggests  working 
closely  with  the  internal  audit  group  to  make 
sure  these  once-customized  systems  have 


“Look  for  things  where  there  has  been  customization 
made  to  financial  systems,”  says  Solectron 
CIO  Bud  Mathaisel.  Those  areas  typically  won’t  have 
the  audit  trail  functionality  now  required. 


missed  something  relative  to  the  hierarchy  of 
who  can  see  what,  who  has  signature  or  pur¬ 
chasing  authority,”  says  Eckroth.  Not  only 
does  he  have  to  embed  these  rules  into  the 
enterprisewide  financial  system,  but  he  has 
to  document  that  he  has  done  it. 

“That  is  a  step  I  have  never  taken  be¬ 
fore,”  he  says. 

TRACKING  THE  DATA 

The  current  state  of  internal  controls  within 
American  businesses  is  surprisingly  lax.  Most 
companies  have  not  installed  the  kind  of  sys¬ 
tems  that  can  track  changes  to  financial  data 
as  it  moves  around  internally.  “You  see  all 
these  ERP  and  CRM  systems  that  collect 
data,  but  feed  into  spreadsheets,”  says  Erik 
Guldentops,  an  executive  professor  at  the 
management  school  of  the  University  of 
Antwerp,  Belgium,  and  an  expert  on  IT  con¬ 
trols  and  auditing.  Spreadsheets  are  a  manual 

cio.com  To  find  more  resources 
in  this  New  Rules  series  as  well  as  a  link 
to  the  full  text  of  the  Sarbanes-Oxley  Act, 
go  to  www.cio.com/newrules. 


trolled  information  flow  is  that,  on  average, 
companies  had  nearly  three  different  ERP 
systems  from  which  to  pull  data. 

That  reliance  on  human  processes  won’t 
cut  it  with  the  new  Sarbanes-Oxley  legisla¬ 
tion.  While  CIOs  may  not  have  to  stan¬ 
dardize  on  one  ERP,  they  do — at  the  very 
least — need  to  document  usage  rules  and  an 
audit  trail  for  each  system  that  contributes 
financial  information.  And  they  have  to  do 
it  soon:  BearingPoint’s  Patterson  says  that 
in  order  to  stay  on  target  with  SEC-man- 
dated  compliance  dates,  that  needs  to  be 
done  by  the  end  of  this  month.  “By  May 
30th  you  should  have  a  steering  committee 
mapped  out,”  he  says.  By  then,  you  should 
have  done  the  up-front  gap  analysis  and 
determined  if  the  current  systems  pass 
muster  or  if  you  need  to  make  changes. 

CIOs  who  are  up  to  speed  on  Sarbanes- 
Oxley  suggest  specific  starting  points,  such  as 
developing  detailed  plans  for  controls  on  basic 
financial  systems.  BellSouth’s  Dramis  says  that 
“the  information  from  all  the  systems,  while 
not  necessarily  linked,  has  to  be  reconciled, 
either  by  integration  or  a  shared  data  model.” 
BellSouth  put  in  place  a  middleware-intensive 


acceptable  audit  trails  and  other  controls. 

Unfortunately,  there  is  no  silver  bullet  or 
even  one-size-fits-all  advice.  From  a  technol¬ 
ogy  point  of  view,  the  actions  that  a  company 
will  need  to  take  depend  entirely  on  what  it  is 
they  find  in  the  internal  controls  inspection 
(see  “Fifteen  Questions  You  Need  to  Be  Able 
to  Answer,”  Page  76).  But  one  thing’s  for 
sure:  CIOs  need  to  work  closely  with  the  Sar¬ 
banes-Oxley  auditors  to  make  sure  that  they 
know  what  their  companies’  weaknesses  are. 
(For  more  on  this  read  “The  Auditors  are 
Coming”  at  www.cio.com/printlinks.) 

SELL  YOUR  EXPERTISE 

Yet  if  CIOs  are  being  kept  out  of  the  loop, 
how  can  they  even  do  that?  Just  what  can 
you  do  to  convince  your  CFO  that  it’s  time 
to  widen  the  circle  and  bring  IT  in?  One  per¬ 
suasive  tactic,  suggest  some  leading  CIOs,  is 
to  demonstrate  an  impressive  understand¬ 
ing  of  what  needs  to  be  done  to  comply  with 
Sarbanes-Oxley.  In  fact,  your  knowledge  in 
this  arcane  area  may  just  be  the  ticket  that 
finally  gets  you  a  seat  at  the  inner  table. 
Those  seats,  says  Dramis,  are  usually 
reserved  for  CIOs  who  can  explain  the  busi- 


www.cio.com  •  MAY  15,  2003  CIO  75 


Playing  by  New  Rules  |  Sarbanes-Oxley 


Fifteen  Questions  You 
Need  to  Be  Able  to  Answer 

You  may  have  gotten  away  with  sloppy  practices  during 
your  annual  audit  in  the  past,  but  you  won’t  this  year. 
Auditors  are  busy  learning  how  to  spot  an  internal  control 
problem  that  is  not  in  compliance  with  the  Sarbanes-Oxley 
Act.  Here’s  an  abbreviated  list  of  questions  that  Cap  Gemini 
Ernst  &  Young  says  its  auditors  will  ask  CIOs. 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 
11 
12 

13 

14 

15 


How  are  off-balance-sheet  transactions  and  commitments 
tracked,  reported  and  approved? 

Are  payments  to  the  external  auditing  firm  monitored  through 
the  transactional  flags  on  purchase  orders,  check  requests 
or  other  means  within  the  system? 

Are  rolling  financial  forecasts  deployed  throughout  the  business 
(business  unit,  product  line,  functional  levels)? 

How  many  tools  are  used  in  the  forecasting  process? 

The  budgeting  process? 

Do  the  reporting  systems  trace  back  to  the  general  ledgers? 

Is  cash  flow  from  operations  and  generally  accepted 
accounting  principles  automatically  calculated? 

Are  key  measures  (drivers  of  financial  results)  delivered  to 
operational  managers’  desktops  daily,  weekly,  monthly? 

Are  tax-reporting  systems  integrated  with  the  company’s 
consolidation  system? 

Are  data  consolidation  or  reporting  activities  performed  on 
spreadsheets?  (They’d  better  not  be.) 

Do  transactional  reporting  systems  have  agent-based  alerts? 


How  are  manual  entries  identified  and  approved? 

How  much  time  is  spent  compiling  data  and  the  financial 
statements  versus  analyzing  the  data? 

How  many  top-level  adjustments  are  made  in  the 
consolidation  process? 

Is  the  documentation  updated  every  time  there  is  a  change 
to  the  internal  controls  process? 

Do  reporting  systems  flag  reserves  and  other  escrow  accounts? 


ness  value  of  technology  changes,  but  who  are  also  able  to 
“put  on  their  business  hat  and  review  potential  IT  work  in 
the  context  of  the  broader  business  needs.”  The  Sarbanes- 
Oxley  Act  is  a  perfect  opportunity  for  a  CIO  to  demon¬ 
strate  that  he  can  do  both. 

Set  up  a  meeting  with  your  CFO  and  make  a  presentation 
on  what  your  company  needs  to  do  to  comply  and  how 
you  propose  getting  there.  In  the  presentation,  you  need  to 
make  sure  that  the  CFO  understands  how  important  IT  sys¬ 
tems  are  to  data  integrity.  And  you  also  have  to  make  clear 
that  you  understand  that  the  plumbing  isn’t  the  only  thing 
that  affects  purity. 

“This  is  a  double-edged  sword,”  says  Richard  de  Moll, 
a  vice  president  at  Cap  Gemini  Ernst  &  Young  and  a  for¬ 
mer  CFO.  “You  need  to  walk  in  with  an  educated  point  of 
view,  but  you  can’t  walk  in  saying  that  technology  is  the 
answer.”  CIOs  need  to  remember  that  technology,  while 
an  important  part  of  Sarbanes-Oxley  compliance,  is  just  a 
part  of  a  process  of  which  the  CFO  is  ultimately  in  charge. 

De  Moll  acknowledges  that  CIOs  will  have  an  uphill 
battle  convincing  finance  that  IT  should  play  a  central  role. 
One  reason  for  that  is  the  festering  tension  that  developed 
between  finance  and  information  technology  in  the  ’90s. 
During  the  tech  boom,  IT  was  the  center  of  attention,  even 
though — from  a  finance  perspective — it  remained  a  cost 
center.  From  the  finance  point  of  view,  the  bubble  burst 
that  forced  so  many  technology  startups  out  of  business 
was  well-deserved  comeuppance.  Finance  distrusts  IT  now 
because  of  all  the  money  wasted  then. 

Understanding  that  is  the  first  step  to  overcoming  the 
divide  and  getting  that  lead  role.  A  good  way  to  demon¬ 
strate  that  you  grasp  financial  reality  is  to  run  the  IT  organ¬ 
ization  with  a  streamlined  budget  and  justify  further 
spending  with  firm  business  metrics  like  ROI.  Implementing 
internal  controls  processes  within  the  IT  organization  will 
not  only  help  prepare  for  Sarbanes-Oxley  but  will  make  the 
message  to  finance  that  much  stronger. 

Ultimately,  the  best  resources  that  CIOs  have  when  it  comes 
to  Sarbanes-Oxley  compliance  may  be  each  other.  Solectron’s 
Mathaisel  says  that  he  is  closely  watching  best  practices 
exchanges  for  Sarbanes-Oxley  news  and  tips  on  how  other 
CIOs  are  endeavoring  to  fix  their  internal  controls. 

Mattel’s  Eckroth  agrees  that  CIOs  need  to  work  together. 
The  legislation  is  meant  to  restore  confidence  in  the  business 
community  as  a  whole.  In  this  sense,  says  Eckroth,  every 
company  needs  to  take  Sarbanes-Oxley  seriously,  “because 
one  bad  apple  takes  us  all  down.”  BE] 


For  more  questions,  visit  www.cio.com. 


Share  your  stories  about  Sarbanes-Oxley  with  Staff  Writer  Ben  Worthen 
at  bworthen@cio.com. 


76  CIO  MAY  15,  2003  •  www.cio.com 


Trust 


the  color  printer 


performing 


in  the  Pentagon. 


ir*i 


OKI’s  Full  Line  of  Color  Printers — Built  for  All  Your  Business  Demands 


Trust  Earned  One  Success  at  a  Time. 


Trust  OKI’s  Proven  Customer  Satisfaction. 


The  Pentagon  needs  color  printers  to  provide  thousands  of  full-color 
documents  they  demand  for  top  performance.  They  rely  on  OKI  color 
printers  because  OKI  has  been  making  award-winning  printers  for  30 
years.  With  a  new  full  line  of  color  printers  featuring  OKI’s  Single 
Pass  Color™  technology,  OKI  can  supply  your  business  with 
thousands  of  essential  color  documents. 


Successful  professionals  like  you  continue  to  count  on  the 
award-winning  leader  in  color  printers  for: 

•  Web  site  and  live  customer  service,  24/7. 

•  High  “try  and  buy”  rating — 7  out  of  every  10  businesses  who  try 
an  OKI,  buy  OKI  color  printers. 


Use  OKI  color  printers  to  print  high-quality  color  reports, 
presentations  and  more  with  industry-leading  performance  and 
increased  cost-efficiency.  Features  include: 

•  High-speed  output  up  to  30  ppm  color,  37  ppm  mono — 1  st  color 
page  out  in  1 1 .5  seconds1. 

•  Low  total  cost  of  ownership2:  up  to  35%  lower  than  competitive 
color  laser  printers. 

•  Clear,  crisp  color  images  up  to  1200  x  1200  dpi. 


Better  Buys 
for  Business 


PC  WORLD 


Best 

BUY 


C9300/C9500  C7300n 

January  2003  C9500dxn 
April  2003 


C7300n 

April  2003 


For  more  information,  call 
1-866-OKI-COLOR,  or  visit 
www.okidata.com/business 


NEW 

C5000 

Series 


C7000 

Series 


i-rv. 


C9000 

Series 


'fef  Ife.  USt^  ![!  ©  lain 


OKI 


Designed  to  Perform  in  the  Most  Demanding  Environments. 


PROVEN. 


A 


©  2003  Oki  Data  Americas,  Inc.  OKI,  Reg.  T.M.,  Oki  Electric  Industry  Co.,  Ltd.,  Single  Pass  Color  and  Design,  Reg.  T.M.  Oki  Data  Corporation.  Better  Buys  for  Business  Editor's  Choice  2003  award  applies  to  the  C9300  Series  and  C9500dxn  OKI  color  printers. 
Time  to  first  page  1 1 .5  seconds  color,  1 0  seconds  mono.  Total  Cost  of  Ownership  (TC0)  claim  based  on  2,000  pages  per  month  (1 00  pages  per  day).  For  further  information,  visit  www.okidata.com/business. 


VBrick  Unveils  VBXcast 


IP  Address 
172.16.5.42 


an  intelligent  MPEG-4  network  video  appliance 


VBXcast  -  Extending  the  reach  of  visual  communications 

For  the  first  time,  VBrick’s  VBXcast  enables  businesses  to  simply  "plug  in"  and  broadcast  or  distribute  video  communications  to  and  from 
anyone,  anywhere,  on  any  network.  Using  the  most  advanced  MPEG-4  compression  technology,  employees  can  take  advantage  of  the  rich 
experience  of  video  simply,  affordably  and  reliably.  Whether  you’re  on  a  corporate  network  or  on  a  remote  Internet  connection,  VBXcast  brings 
you  live  company  news,  education  and  training  where,  when,  and  how  you  need  it. 


For  more  information  call  toll  free  1 -866-VBRICK-1 ,  outside  the  US  1  -203-265-0044 
or  visit  www.VBrick.comA/BXcast 


systems.  i,r. 


■MMJg 


Case  Files:  Blue  Cross  and  Blue  Shield  of  Minnesota 

INTEGRATED  ENDEAVORS 
APPLIED  WIRELESS 
VALUE  SYSTEMS 


CUSTOMER  CONNECTIONS 


ORGANIZATION 

Blue  Cross  and  Blue  Shield 
of  Minnesota 

FOUNDED  1933 
REVENUE  $5  billion  in  2002 
HEADQUARTERS  Eagan,  Minn. 
EMPLOYEES  3,800 
CUSTOMERS  2.5  million 
URL  www.bluecrossmn.com 

MISSION 

To  provide  timely,  broad  and 
economical  health  services  for 
people  in  Minnesota 


CUSTOMER  OBJECTIVE 

Attract  and  retain  customers,  reduce 
customer  service  costs,  and  provide 
consumers  with  more  personalized, 
accurate  and  timely  information  by 
implementing  an  online  customer 
self-service  system  that  links  back- 
and  front-end  systems. 


THE  PLAYERS 

JOHNOUNJIAN 

CIO  of  BCBS  of  Minnesota 

RICHARD  NEUNER 

CMO  of  BCBS  of  Minnesota 

TIMMEGUINNES 

VP  of  Employee  Benefits  for 
Northwest  Airlines 


CASE  ANALYST 

WENDY  S.  CLOSE 

CRM  Research  Director  for  Gartner 


Pain-Free 

CRM 


By  taking  the  time  to  integrate  data  for  its  online  CRM  system,  a 
regional  health  plan  has  succeeded  where  other  large  insurers 
havestumbled  by  meridith  levinson 


TWO  YEARS  AGO,  John  Ounjian,  senior  vice 
president  and  CIO  of  Blue  Cross  and  Blue 
Shield  (BCBS)  of  Minnesota,  managed  to  con¬ 
vince  General  Mills,  an  $8  billion  consumer 
goods  giant,  to  join  his  regional  health  plan  on 
the  basis  of  a  promise:  He  would  soon  be  in¬ 
stalling  a  Web-based  customer  service  system 
that  would  let  subscribers  manage  their  health 
benefits  online.  Subscribers  would  be  able  to 
select  health  plans  tailored  to  their  individual 
needs  and  wallets,  calculate  their  own  contri¬ 
butions  to  their  coverage,  research  information 
on  prescription  drugs  and  other  treatments, 
locate  participating  physicians,  and  check  the 
status  of  their  claims. 

Selling  a  product  that  didn’t  exist  was  the  easy 
part.  The  hard  part,  Ounjian  says,  was  planning 
and  building  a  CRM  system  that  would  live  up 
to  the  assurances  he  gave  executives  at  General 
Mills.  To  implement  that  system,  he  had  to 
install  a  brand-new  infrastructure  to  integrate 


his  Web  and  call  center  operation  and  to  pro¬ 
vide  timely,  accurate  information  to  customers. 
And  he  had  to  migrate  millions  of  bytes  of  data 
stored  in  back-end  databases  to  the  Web  front 
end — massaging  and  reformatting  the  data  so 
that  consumers  could  understand  it. 

Ounjian  pulled  it  off.  As  a  result  of  the  online 
customer  self-service  system  his  IT  staff  finished 
implementing  in  January  2002,  BCBS  of  Min¬ 
nesota  has  not  only  met  the  specifications  of  Gen¬ 
eral  Mills,  but  the  $5  billion  plan  has  also 
managed  to  beat  national  providers  Aetna,  Cigna 
and  Humana  out  of  several  very  large  accounts 
such  as  3M,  Northwest  Airlines  and  Target. 

Ounjian  says  his  company’s  membership  grew 
by  10  percent,  or  200,000  new  members,  in 
2002,  largely  because  of  its  online  customer  self- 
service  system.  Even  more  remarkable,  BCBS  of 
Minnesota  experienced  that  growth  in  member¬ 
ship  at  a  time  when  several  national  insurers  lost 
millions  of  members.  Cigna,  for  instance,  lost 

www.cio.com  •  MAY  15,  2003  CIO  79 


EXPERT  ANALYSIS 


KNOW  THY  CUSTOMER 

BY  WENDY  S.  CLOSE 

MANY  ENTERPRISES,  including  health-care  insurance 
providers,  are  attempting  to  move  toward  a  real-time 
enterprise  that  uses  up-to-date  information  in  the  execution 
of  its  critical  business  processes.  Reducing  time  is  the  goal, 
which  results  in  less  expense,  more  rapid  collection  of  cash 
and  increased  customer  satisfaction.  In  approaching  real¬ 
time  status,  for  health-care  insurance  providers  to  invest  in 
Web  initiatives  is  not  uncommon.  However,  the  health-care 
organization  can’t  forget  the  need  to  enhance  and  leverage 
its  back-end  systems  to  support  external  customer  relation¬ 
ships.  This  is  one  of  many  best  practices  Blue  Cross  and 
Blue  Shield  (BCBS)  of  Minnesota  followed  when  implement¬ 
ing  a  customer  self-service  solution.  CIO  John  Ounjian  did 
what  he  was  supposed  to  do  in  that  he  emphasized  integration  of  front-  and  back- 
office  data,  and  he  was  data  conscious— he  knew  where  the  data  was  coming  from, 
where  it  was  going,  how  it  was  going  to  be  used.  Here  are  five  other  best  practices 
that  BCBS  of  Minnesota  adhered  to,  which  you  can  also  use. 

1.  Make  sure  customers  really  want  Web  self-service.  No  organization  should 
invest  in  a  customer  self-service  initiative  without  first  surveying  its  customers  to 
find  out  what  they  really  want. 

2.  Conduct  website  usability  and  usefulness  tests.  Although  the  Web  is  an  ideal 
place  to  serve  customers,  you  must  care  to  ensure  that  self-servers  are  not  driven  to 
more  costly  and  potentially  less  satisfying  service  channels  such  as  call  centers 
because  of  a  poor  self-service  experience. 

3.  Integrate  the  system  with  CRM.  The  best  customer  service  implementations 
use  a  centralized  architecture  where  all  interaction  channels  are  serviced  equally 
and  quickly.  Implementing  a  Web  self-service  system  without  considering  how  to 
work  with  existing  CRM  systems  will  create  additional  integration  work. 

4.  Keep  the  website  content  current.  When  trying  to  automate  customer  service, 
organizations  need  to  ensure  that  the  applications  and  knowledge  base  provided  via 
the  Web  have  the  right  information,  at  the  right  time.  This  means  that  systems  need 
to  be  constantly  updated. 

5.  Don’t  focus  on  buying  a  mega-CRM  solution.  Smaller,  tactical-oriented 
solution  deals  are  now  more  prominent  than  the  "one  solution  does  it  all”  mega¬ 
solutions.  This  model  is  less  expensive  to  implement  and  provides  organizations 
with  more  control  over  how  and  what  their  CRM  solutions  do. 


Wendy  S.  Close,  CRM 
research  director  for 
Gartner,  is  a  CRM 
generalist  with  12  years 
of  experience.  She  can 
be  reached  at 
inquiry@gartner.  com . 


Case  Files  |  Customer  Connections 

10  percent  of  its  membership  in  2002  due  in 
part  to  a  botched  customer  self-service  system 
implementation.  (See  “Cigna’s  Self-Inflicted 
Wounds”  at  wimv.cio.com/printlinks.) 

“We  all  have  to  have  this  capability;  that’s 
not  what’s  going  to  differentiate  us,”  Oun¬ 
jian  says.  “It’s  how  you  execute  these  func¬ 
tions,  how  you  bring  the  customer  on  board 
that  makes  all  the  difference.” 

DOING  IT  RIGHT 

There  isn’t  an  industry  better  suited  to  online 
customer  self-service  than  health  insurance, 
which  can  intimidate  and  confuse  even  the 
savviest  consumer.  What  patient  wouldn’t 
forgo  her  provider’s  cumbersome  toll-free 
number — with  its  long  hold  times — in  favor 
of  a  Web-based  solution  that  allows  her  24/7 
access  to  all  kinds  of  health-care  answers? 

In  addition  to  offering  a  viable  solution  to 
customer  problems,  Web  self-service  also 
provides  the  necessary  foundation  for  deliv¬ 
ering  health  plans  tailored  to  individual  con¬ 
sumers’  needs — a  direction  in  which  the 
industry  is  moving  to  cut  managed  care 
costs.  (See  “CIOs  at  the  Heart  of  Health- 
Care  Change”  at  www.cio.com/printlinks.) 

But  implementing  such  a  sophisticated 
online  system  required  Ounjian  and  his  staff  to 
overcome  some  head-scratching  hurdles  that 
have  hobbled  the  efforts  of  national  insurers. 
The  difference,  Ounjian  likes  to  think,  was  in 
the  planning.  To  begin  with,  he  and  his  staff 
realized  they’d  have  to  lay  down  a  whole  new 
infrastructure,  or  “chassis”  (Ounjian  is  fond 
of  automotive  metaphors),  for  automating 
interactions  with  consumers  that  had  previ¬ 
ously  taken  place  over  the  phone.  And  in  the 
process  of  automating  transactions,  they’d 
have  to  devise  a  sound  data  management 
strategy  to  overcome  the  problems  that  arose 
when  they  tried  to  move  raw  data  from  back¬ 
end  systems  to  the  Web  front  end.  If  they 
didn’t  come  up  with  a  cohesive  plan  for  mov¬ 
ing  data  back  and  forth,  they  risked  having 
customers  looking  at  information  that  was 
out-of-date,  inaccurate,  or  that  varied  across 
the  Web  and  call  center  channels. 

Ounjian  says  building  an  online  customer 
self-service  system  without  a  data  manage¬ 


ment  strategy  is  like  building  a  bridge  without 
support.  “If  you  don’t  have  a  data  manage¬ 
ment  strategy,  then  you’re  only  building  half 
the  bridge,”  he  says. 

The  actual  infrastructure  for  BCBS  of  Min¬ 
nesota’s  website  and  customer  service  system 
is  made  up  of  Aspect  Communications’  com¬ 


munications  platform,  Kana’s  e-business  plat¬ 
form,  BEA’s  WebLogic  application  server  and 
Oracle  databases.  The  Aspect  platform  pro¬ 
vides  the  computer  telephony  integration,  the 
interactive  voice  response  unit,  the  Web  inter¬ 
action  technology  and  the  queuing  engine 
that  directs  calls  to  the  appropriate  call  center 


80  CIO  MAY  15,  2003  •  www.cio.com 


We  see  management 
a  little  differently 
from  the  other  guys. 


At  NetlQ,  we  don't  see  a  problem.  Only  solutions. 
Managing  your  Windows  server  environment  is  easier 
than  ever  with  Microsoft  Operations  Manager.  And, 
as  a  key  Microsoft  partner,  NetlQ  extends  Microsoft 
Operations  Manager  to  manage  and  secure  your 
entire  enterprise,  whether  you're  driving  UNIX, 
NetWare,  Linux,  Windows. ..or  all  of  them.  NetlQ. 
We're  the  management  people.  And  nobody  does 
management  smarter.  Nobody. 


CIO  eBook!  Get  your  free  copy  of  From  Chaos  to  Control: 
The  CIO's  Executive  Guide  to  Managing  and  Securing 
the  Enterprise,  www.netiq.com/manageability. 


0. 

netSD. 

Work  Smarter, 


©Copyright  2003  NetlQ  Corporation.  All  rights  reserved. NetlQ  and  the  NetlQ  logo  are  registered  trademarks  of  the  NetlQ  Corporation. 
All  other  names  and  products  mentioned  herein  may  be  the  registered  trademarks  of  their  respective  companies. 


Case  Files  |  Customer  Connections 

agent.  In  addition  to  the  e-business  platform, 
which  integrates  with  the  communications 
platform  from  Aspect,  Kana  provides  e-mail 
management  software  as  well  as  an  applica¬ 
tion  to  track  communication  between  call 
center  agents  and  customers  so  that  BCBS  of 
Minnesota  knows  who  called,  when  they 
called  and  whether  their  issues  were  resolved. 

Ounjian  is  using  Oracle  databases  on  the 
front  end  to  reassemble  and  synchronize 
back-end  data  so  that  consumers  find  con¬ 
sistent,  timely  information  regardless  of 
whether  they  use  the  Web  channel  or  the  call 
center  channel.  Ounjian  says  he’s  using  dif¬ 
ferent  vendors  for  the  various  components 


raw  back-end  data  with  the  appropriate 
translation  for  consumers  on  the  front  end. 

In  the  past,  when  mail  the  insurer  had 
sent  to  customers  was  returned  because  the 
address  it  had  in  its  files  was  no  longer  cor¬ 
rect,  BCBS  of  Minnesota  actually  entered 
“bad  address”  into  the  address  files  on  its 
legacy  systems  and  would  fill  the  ZIP  code 
field  with  9s  to  denote  that  the  address  was 
no  longer  correct.  But  now  that  its  back-end 
data  is  customer-facing  with  the  new  cus¬ 
tomer  self-service  system,  BCBS  of  Min¬ 
nesota  can’t  risk  having  a  customer  see  “bad 
address”  or  99999  as  his  ZIP  code  when  he 
pulls  up  his  file.  So  these  days,  whenever  the 


CIO  John  Ounjian’s  biggest  headache  was  devising 
a  strategy  for  moving  data  and  transactions  from 
the  front  end  to  the  back  end  and  vice  versa. 


of  the  Web  self-service  architecture  because 
there’s  no  one  vendor  that  supplies  every¬ 
thing  one  needs  for  an  integrated  CRM  sys¬ 
tem.  He  wanted  the  flexibility  to  layer 
different  applications  and  functionality  from 
different  vendors  on  top  of  his  infrastructure. 

MAKING  DATA  SENSE 

Ounjian’s  biggest  headache  was  devising  a 
tactical  strategy  for  moving  data  and  trans¬ 
actions  from  the  front  end  to  the  back  end 
and  vice  versa.  Making  millions  of  bytes  of 
back-end  data  available  and  understandable 
to  users  on  the  front  end  is  one  of  the  biggest 
challenges  for  any  successful  CRM  project, 
regardless  of  industry.  If  you  can’t  get  accu¬ 
rate  information  to  your  customers  in  a  for¬ 
mat  that  they  understand,  they  won’t  use 
your  system.  The  number  of  records  (100 
million)  that  Ounjian  and  his  staff  had  to 
migrate  made  the  task  even  more  daunting. 

Explanations  of  benefits,  for  example, 
were  stored  as  codes  that  were  meaningless 
to  consumers.  Those  codes  needed  to  be  put 
in  terms  end  users  could  understand.  Oun¬ 
jian  says  his  staff  built  a  data  dictionary  for 
all  the  codes  that  included  their  equivalent 
English  definitions.  It  essentially  matches  up 


company  has  mail  returned,  it  immediately 
corrects  the  address  in  its  legacy  systems. 

In  addition,  ZIP  codes  stored  in  back-end 
databases  had  been  compressed  from  nine 
digits  to  eight  in  order  to  save  money  on 
storage.  Ounjian  and  his  staff  had  to  expand 
those  ZIP  codes  back  into  their  nine-digit 
form  for  consumers  on  the  front  end. 

Ounjian  believes  the  reason  why  so  many 
CRM  projects — not  just  in  health  care  but 
across  industries — run  into  problems  or  fail 
altogether  is  because  they  aren’t  grounded 
by  an  underlying  plan  for  transferring  data 
that  originates  in  one  system  and  in  one 
form  to  another  system  in  a  different  form. 

Once  Ounjian  and  his  staff  ironed  out  the 
data  issues  and  developed  a  prototype  of  the 
new  website,  they  invited  customers  to  test  it 
in  a  focus  group.  During  those  initial  trials, 
they  found  the  site  wasn’t  all  that  consumer- 
friendly.  For  example,  they  discovered  that 
they  needed  to  change  the  organization  of  the 
pull-down  menus  that  guide  viewers  around 
the  site.  The  engineers  changed  the  arrange¬ 
ment  of  pull-down  menus  so  that  it  better 
reflected  how  laypeople  move  around  the  site. 

On  Jan.  1,  2002,  Ounjian  finished  the  first 
phase  of  his  company’s  new  customer  self¬ 


service  system.  Phase  one  consisted  of  redoing 
the  infrastructure  and  offering  such  online 
services  as  a  provider  directory,  the  ability  to 
check  one’s  membership  information,  view 
claims  and  contact  BCBS  of  Minnesota’s  cus¬ 
tomer  service  department  via  e-mail.  Phase 
two  was  completed  on  Jan.  1, 2003,  and  con¬ 
sists  of  a  product  called  Options  Blue,  which 
lets  customers  obtain  explanations  of  their 
benefits,  calculate  contributions  to  their  health 
coverage,  and  check  their  deductibles  and 
out-of-pocket  maximums  online.  Customers 
can  now  also  order  prescriptions  by  mail,  esti¬ 
mate  the  costs  of  prescriptions  and  medical 
procedures,  order  new  ID  cards,  and  find  par¬ 
ticipating  pharmacies. 

One  customer  that  came  on  board  because 
of  the  new  self-service  system  is  Northwest 
Airlines,  which  switched  over  from  Cigna  on 
Jan.  1,  2002.  Tim  Meguinnes,  vice  president 
of  employee  benefits,  says  his  company  is 
happy  with  the  way  the  online  system  is  run¬ 
ning.  “It  is  a  wonderful  little  tool,”  Meguinnes 
says.  “Our  employees  can  look  up  claims 
information,  get  access  to  information  about 
their  maladies  and  order  new  ID  cards.” 

The  system  is  currently  being  used  by 
61  employers  with  450,000  individual  em¬ 
ployees,  according  to  Richard  Neuner,  chief 
marketing  officer  of  BCBS  of  Minnesota, 
who  is  excited  about  the  new  service. 
Neuner  and  Ounjian  hope  to  grow  that 
number  in  the  coming  year. 

Unable  to  resist  yet  another  car  metaphor, 
Ounjian  concludes,  “We  have  the  chassis  on 
which  to  build  our  investments  from  year 
to  year.  If  my  transmission  needs  to  move 
from  a  three  speed  to  a  five  speed,  I  don’t 
have  to  redesign  the  whole  car.”  HE! 


Share  your  CRM  case  stories  with  Executive  Editor 
Alison  Bass  at  abass@cio.com.  Meridith  Levinson 
( mtevinson@cio.com )  is  a  senior  writer. 

cio  store  John  Ounjian  used  the 

Web  for  his  CRM.  Our  Executive  Survival 
Guide  MAKING  THE  WEB  WORK  FOR  YOU 

can  help  you  too.  It's  on  sale  now  at 
www.  theciostore.  com . 


82  CIO  MAY  15,  2003  •  www.cio.com 


“The  Select  Member  CIO 
you  put  me  in  touch  with 
was  knowledgeable, 
forthcoming  and  extremely 
helpful.  His  shop  and 
ours  have  much  in  common. 

The  call  was  excellent!” 

-CIO  of  a  $7  billion 
insurance  company 

i  \  j- f  '  y  i 


“I  am  getting  tremendous 
value  out  of  the  board-level 
presentations  I  have  down- 


BENEFIT  FROM  THE  EXPERIENCE  OF  YOUR 
PEERS -JOIN  CIO  SELECT. 

CIO  Select  is  an  exclusive 
networking  program  that 
helps  CIOs  share  ideas, 
documents  and  advice. 


loaded  from  Select.” 


-CIO  of  a  $3  billion 
manufacturer 


Membership  in  CIO  Select  is  reserved  for  CIOs 
of  midsize  to  large  organizations. 


ClOSelect 


For  Information  and  Membership  Pricing: 

Contact  Martha  Heller,  Director,  CIO  Select, 
at  508.988.6738  or  mheller@cio.com  or 


The  Resource  for 
Information  Executives 


AN  EXCLUSIVE  PEER  SERVICE  FOR  CIOs  via  www.cio.com/community/selecthtml. 


Q&A  I  Marco  lansiti 


Harvard’s  Marco  lansiti,  who  has  studied  the  technology  strategies  of 
nearly  100  companies,  says:  Keep  your  integration  expertise  in-house 


What  do  Wal-Mart  and  Microsoft  have  in  common? 

Besides  being  giants  of  their  respective  industries,  they  share  a  simi¬ 
lar  organizational  structure — at  least  with  respect  to  how  each  com¬ 
pany  approached  integration,  says  Marco  lansiti,  the  David  Sarnoff 
professor  of  business  administration  at  Harvard  Business  School  and 
author  of  Technology  Integration :  Making  Critical  Choices  in  a 
Dynamic  World  (Harvard  Business  School  Press,  1998). 

While  many  companies  outsourced  their  integration  initiatives  to 
Accenture,  EDS,  IBM  or  a  host  of  other  consultancies,  both  Microsoft 
and  Wal-Mart  created  in-house  teams  (product  managers  at  Microsoft; 
systems  analysts  at  Wal-Mart)  that  focused  on  integration,  not  on  one 
product  or  one  process.  Those  teams  are  charged  with  knowing  how 
all  the  technologies  and  processes  that  link  their  respective  companies 
to  their  business  partners  function  both  inside  and  out.  That  structure 
allows  Microsoft  and  Wal-Mart  to  be  masters  of  their  own  fate  and, 
lansiti  argues,  gives  them  a  distinct  advantage  over  their  competitors. 

(The  first  chapter  of  Iansiti’s  new  book,  Keystone:  Operating  and  Tech¬ 
nology  Strategies  in  Business  Ecosystems  (Harvard  Business  School 
Press,  January  2004),  is  tentatively  titled  “Why  Wal-Mart  and 
Microsoft  Are  Similar.”) 

lansiti,  who  has  a  degree  in  physics,  came  to  the  Harvard  Business 
School  in  1989  after  tiring  of  “being  chained  to  a  lab  bench.”  The  41- 
year-old  has  spent  more  than  10  years  studying  the  technology  strate¬ 
gies  of  nearly  100  companies  from  all  sectors,  including  retail, 
technology,  manufacturing  and  the  pharmaceutical  industry.  He  has 


8  4  CIO 


MAY  15,  2003  •  www. cio.com 


PHOTOGRAPHY  BY  JOHN  SOARES 


The  best  strategy  is  to  keep  technology  couplings  loose. 
That  provides  for  flexibility.  You  can  keep  assembling 
best-of-breed  solutions  without  committing  to  any 
particular  external  architecture.”  -marco  iansiti 


Q&A  I  Marco  lansiti 

come  to  several  conclusions  about  effective 
integration  strategies  and  how  proper  inte¬ 
gration  translates  directly  into  business 
advantage.  He  has  seen  companies  handle 
integration  well,  and  he  has  seen  companies 
handle  it  poorly.  The  former,  such  as  Wal- 
Mart  and  Microsoft,  dominate  their  indus¬ 
tries.  The  latter,  such  as  Polaroid,  end  up  in 
the  headlines  for  all  the  wrong  reasons.  Fea¬ 
tures  Editor  Lafe  Low  sat  down  with  him  in 
his  big  Harvard  office. 

CIO:  What  are  the  essential  elements  of  an 
effective  integration  strategy? 

Marco  lansiti:  What  I’m  focusing  on  now 
are  the  external  aspects  [of  integration]: 
How  do  you  manage  assets  that  are  outside 
the  company,  and  how  do  you  integrate 
them?  Microsoft  has  40,000  business  part¬ 
ners,  and  there  are  approximately  6  million 
people  who  build  software  on  its  platform. 
[Microsoft’s]  value  is  tied  more  to  the  inte¬ 
gration  with  that  ecosystem  than  it  is  with 
the  company’s  internal  resources. 

It’s  as  if  you  have  these  concentric  circles. 
The  first  circle  is  the  integration  team,  which 
could  be  a  few  product  managers.  The  next, 
bigger  circle  is  built  around  the  core  team  of 
other  resources  inside  the  company.  Then 
there  is  an  even  bigger  circle  around  them  that 
consists  of  developers,  if  you’re  Microsoft,  or 
manufacturers  or  supply  chain  members,  if 
you’re  Wal-Mart.  The  integration  challenge 
expands  from  five  people  in  a  conference 
room  to  Wal-Mart’s  50,000  suppliers. 

Both  [Wal-Mart  and  Microsoft]  form  a 
hub  for  dispersed  networks  of  people.  The 
companies’  value  is  largely  dependent  on 
resources  they  do  not  own.  Integration 
becomes  not  just  integration  of  a  small  num¬ 
ber  of  people  inside  the  team  or  resources 
inside  the  company  but  the  integration  of  a 
vast  network  of  people  or  organizations, 
many  of  which  are  outside  the  company. 

How  do  you  integrate  assets  you  don’t  own? 
What  strategies  are  most  effective? 

The  best  strategy  for  the  CIO  is  to  keep 
technology  couplings  as  loose  as  possible. 
That  provides  for  greater  flexibility.  You  can 


“We’re  getting  better  at 
managing  technology 
diversity.  You  don’t 


want  to  have  a  huge 
mess,  but  people  are 
starting  to  learn  how 
to  manage  a  slight 
mess  better  and 


cheaper.”  -marco  iansui 


keep  assembling  best-of-breed  solutions 
without  committing  to  any  particular  exter¬ 
nal  architecture. 

Because  of  a  combination  of  market  and 
technology  perspectives,  the  looser  approach 
to  integration  is  very  powerful.  There  are  a 
lot  of  technologies  available,  and  vendors 
are  trying  very  hard  to  sell  them.  At  the 
same  time,  from  a  technology  perspective, 
it’s  much  easier  to  integrate  without  having 
to  commit  to  any  single  vendor.  For  exam¬ 
ple,  with  IBM’s  On  Demand  initiative,  it’s 
very  easy  to  try  a  bunch  of  new  technologies 
without  being  committed  to  [IBM].  Just  cou¬ 
ple  in  to  what  IBM  is  offering,  experiment 
with  [the  applications],  then  integrate  them 
with  your  internal  assets. 

How  can  a  company  ensure  that  its  integra¬ 
tion  strategy  is  on  the  right  track,  effectively 
translating  strategy  into  action?  And  how 
can  a  CIO  push  this  along? 

From  the  CIO’s  perspective,  these  should  be 
fantastic  times.  Not  in  some  ways,  of  course, 
but  from  a  technology  development  per¬ 
spective.  CIOs  have  a  huge  number  of  exter¬ 
nal  options,  as  well  as  an  enormous  amount 
of  leverage  for  how  to  bring  in  those  options, 


such  as  different  technologies,  different  soft¬ 
ware  applications  and  different  consulting 
services. 

Right  now,  possibly  more  than  any  other 
time,  CIOs  are  in  the  driver’s  seat.  They 
have  great  leverage  in  terms  of  more  tech¬ 
nology  choices  and  getting  good  deals. 
Obviously,  CIOs  are  under  a  lot  of  pressure 
to  cut  costs.  At  the  same  time,  it’s  a  good 
time  [to  invest  in  technology]  because  you 
can  get  more  for  less.  From  a  technology 
understanding  perspective,  it’s  much  sim¬ 
pler  than  it  was  before  because  it’s  easier  to 
link  different  technologies. 

The  biggest  challenge  for  CIOs  is  to  pri¬ 
oritize  what  technologies  to  pull  in.  They 
need  strong  architectural  expertise  to  figure 
out  how  the  different  choices  fit  because 
they  are  the  ultimate  integrators  of  all  the 
external  suppliers.  There’s  a  real  opportu¬ 
nity  to  use  this  leverage  right  now,  while  the 
market  is  down,  to  push  themselves  in  front 
of  competitors  that  are  a  little  too  conser¬ 
vative.  The  CIO’s  role  is  primarily  one  of 
architecture  and  the  process  of  integrating. 

For  the  retail  study  [done  for  Technology 
Integration ],  we  looked  at  the  technology 
strategies  of  several  large  retailers  in  the  post- 
Internet  daze.  Walgreens  potentially  had  the 
most  integrated  strategy.  The  company  took  a 
little  longer  but  figured  out  how  to  best  con¬ 
nect  new  technology  with  its  existing  assets. 

However,  the  number  of  organizations  that 
went  the  other  way  and  got  slaughtered  was 
huge  (such  as  CVS,  which  bought  and  tacked 
on  its  online  business  externally).  There  is  no 
external  venture  that  was  successful.  Most — 
nearly  70  percent — were  reintegrated  and  the 
rest  were  shut  down.  Integrators  such  as  Wal¬ 
greens  have  done  well,  while  Hail  Mary 
passers  such  as  CVS  have  not. 

How  does  implementing  and  maintaining  an 
effective  integration  strategy  translate  into 
competitive  advantage? 

Integrating  internal  and  external  assets  is 
more  conservative  [than  buying  or  starting 
an  external  spinoff].  It’s  more  efficient.  In 
the  retail  study,  we  measured  the  difference 
in  efficiency  between  integration  players  [like 


86  CIO  MAY  15,  2003  •  www.cjo.com 


Online  meetings  from  WebEx  let  you  cut  travel  costs,  boost  sales  and  massively  increase 
productivity  across  the  enterprise.  Join  hundreds  of  Fortune  1000  companies  who  use 
WebEx  to  get  an  edge  on  the  competition.  Demo  online  meetings  from  WebEx 


webex 

THE  NEW  RiNGY  DINGY 


Q&A  |  Marco  lansiti 


Walgreens]  and  the  Hail  Mary  external  spin¬ 
outs  [like  CVS],  and  it  was  enormous.  Dif¬ 
ferences  of  3-to-l  were  easy  to  come  by  in 
sales  per  employee  or  whatever  productivity 
measure  you’d  like  to  define. 

I’m  doing  some  work  now  on  the 
anatomy  of  a  transition.  By  the  time  people 
figure  out  how  to  adopt  a  technology,  they 
also  figure  out  how  to  leverage  a  lot  of  the 
old  assets.  The  differentiation  comes  into  the 


architecture.  If  everybody  deploys  SAP  or 
everybody  deploys  Siebel,  that’s  not  going 
to  be  your  competitive  advantage.  But  the 
way  you  use  it  and  the  way  you  connect  it 
to  different  systems — that  keeps  you  unique. 

IBM  is  the  ultimate  example.  IBM  has 
reinvented  itself  many  times.  It  was  never  a 
single  idea  but  always  this  amorphous 
process.  In  some  ways,  what  the  company  is 
doing  now  is  the  same  as  what  it  was  doing 
in  the  1960s.  It’s  leveraging  the  Fortune  500 
companies.  That’s  still  its  basic  model.  IBM 
has  gone  from  leasing  mainframes  to  out¬ 
sourcing  and  has  done  it  very  well. 

The  old  saw,  “Watch  out  CIO,  technol¬ 
ogy  is  going  to  come  to  kill  you,  so  you  bet¬ 
ter  move  fast  and  do  whatever  you  possibly 
can  to  react  quickly”  is  gone.  I’m  not  even 
sure  it  was  ever  really  true.  I  still  haven’t  seen 
a  company  that’s  been  slaughtered  by  tech¬ 
nology.  The  companies  that  have  done  worse 
in  the  past  10  years  have  been  the  ones  that 
overreacted. 

cio.com  For  more  insight  into  how 

WAL-MART  and  MICROSOFT  do  what  they 

do,  check  out  the  Print  Links  for  this  story. 

Go  to  www.cio.com/printlinks. 


So  it  doesn’t  necessarily  pay  to  be  the  first 
mover  in  regard  to  new  technologies? 

There  is  no  evidence  whatsoever  that  first- 
mover  advantage  is  good  for  you.  Look  at 
the  numbers  across  industries.  It’s  not  first  to 
move,  but  first  to  scale. 

Yahoo  wasn’t  the  first  Internet  directory; 
Infoseek  was  the  first  widely  used  directory. 
The  first  auction  site  wasn’t  eBay;  others  tried 
to  do  it,  but  eBay  got  the  architecture  and 


business  model  right  and  scaled  up  first.  Now 
that  it  is  to  scale,  eBay  closes  55  percent  to 
60  percent  of  its  auctions.  The  number-two 
site  [Yahoo]  closes  less  than  10  percent. 

Is  that  part  of  what  went  wrong  with  Polaroid? 

What  went  wrong  wasn’t  the  technology. 
Polaroid  has  been  dying  a  slow  death  since 
1988.  Companies  get  hurt  for  all  sorts  of  rea¬ 
sons:  poor  management,  inertia,  they  don’t 
want  to  change  the  business  model  or  the 
organization,  they  may  have  blind  spots. 
Polaroid  had  a  blind  spot  around  marketing. 

It  made  a  bunch  of  mistakes,  but  you 
can’t  say  that  digital  photography  killed 
Polaroid.  It  had  a  lot  of  assets  in  digital  pho¬ 
tography.  You  could  say  it  even  overreacted 
to  it.  It  was  the  company’s  inability  to 
change  to  a  business  model  that  adapted 
Polaroid  outside  of  its  traditional  products. 

How  has  the  relationship  between  technol¬ 
ogy  and  strategy  changed  during  the  past 
few  years? 

The  biggest  change  is  the  evolution  in  cou¬ 
plings  between  technologies.  What  you  see 
now  is  more  loosely  coupled  technologies  and 
the  ability  to  exchange  data  without  [requir¬ 
ing]  a  unifying  architecture.  We’re  starting  to 


realize  the  power  of  plugging  a  lot  of  differ¬ 
ent  things  together,  in  contrast  to  having  a 
single,  monolithic  architecture.  We’re  getting 
better  at  managing  technology  diversity.  You 
don’t  want  to  have  a  huge  mess,  but  people 
are  starting  to  learn  how  to  manage  a  slight 
mess  better  and  cheaper.  Getting  everything 
to  work  together  is  better  than  throwing 
everything  out  and  starting  from  scratch.  It’s 
changing  a  lot  of  relationships. 

If  you  look  across  industries,  there’s  frag¬ 
mentation.  In  the  early  days,  one  company 
owned  most  of  the  assets  required  to  design 
and  deliver  a  product.  As  industry  evolves, 
there’s  more  integration  of  assets  from  a 
variety  of  players.  You  see  it  in  the  car  indus¬ 
try,  the  retail  space,  manufacturing  or  wher¬ 
ever.  My  students  and  I  are  spending  a  lot  of 
time  looking  at  that  now  in  everything  from 
PC  manufacturing  to  semiconductors  to 
pharmaceuticals  to  apparel. 

There’s  a  [Hong  Kong]  company  called 
Lee  and  Fung — it  serves  The  Gap  and  The 
Limited — that  could  be  considered  a  cus¬ 
tom  supply  chain  company.  It  gets  an  order 
and  orchestrates  a  broad  variety  of  exter¬ 
nal  assets  but  guarantees  delivery  of  the 
product  at  a  specific  time  and  place  at  a  bet¬ 
ter  cost  than  The  Gap  could  get  elsewhere. 
The  company  has  approximately  8,000 
employees,  but  it  leverages  about  1  million 
outside  the  company  in  its  manufacturing 
base.  It’s  like  having  a  1  million  person 
company  but  without  having  to  carry  them 
on  the  payroll. 

The  interfaces  between  [technologies] 
have  enabled  industries  to  fragment,  so  the 
integration  challenge  becomes  more  broad. 
If  you  sit  at  the  hub  of  these  networks  and 
manage  the  integration  among  the  different 
pieces,  you  can  enjoy  tremendous  leverage. 

Are  there  any  reliable  red  flags  raised  when 
companies  are  going  down  the  wrong  inte¬ 
gration  path? 

A  lot  of  companies  get  rid  of  their  integra¬ 
tors  [by  outsourcing]  because  they  don’t 
understand  their  value.  Architectural  knowl¬ 
edge  is  foundation  number  one.  I  have  good 
friends  at  Ford  running  global  logistics. 


“One  of  the  challenges  Ford  has  is  that  it 
has  outsourced  so  much  of  its  process,  it 
no  longer  has  the  expertise  to  understand 
how  it  all  comes  together.  Leverage  your 
resources  as  much  as  you  want,  but  keep 
the  integrators  inside.”  marco  iansui 


88  CIO  MAY  15,  2003  •  www.cio.com 


Brockton,  Massachusetts 


Hf . 


KJ  KJ 


ft 


■'What  travels 
through  our  network 

aren’t  just  bits  of  data. 

hey’re  people’s  lives 


Jack  Shields,  President 
Shields  Health  Care 


“When  someone  needs  an  MRI,  their  minds  are  on  everything  but  going  a  long  way  to 
get  one.  We  have  centers  all  over  New  England,  to  reach  more  people,  make  them  more  comfortable.  Our 
operations,  our  data  are  all  centralized — everything  comes  to  Brockton.  Our  network  solutions  come  from 
Verizon.  Why?  Speed  for  sure.  Probably  more  significant  is  reliability.  Obviously  that’s  very  important  to  us. 
In  our  business,  data  is  people’s  health  and  lives,  not  ones  and  zeros.” 


How  can  Verizon  help  solve  your  data  needs? 
Contact  us  at  verizon.com/data 


verizon 


Make  progress  everyday 


m 


We  just  migrated  to 

Deli  servers  running  a 
standards-based  solution 
and  now  we're  getting 
significantly  better 
price/performance." 

We're...uh,  still 
running  a  proprietary, 
UNIX-based  system." 

"Right." 

Translation: 

Translation: 

Translation: 

We're  saving  a  boatload. 

We're  hemorrhaging  cash. 

Ouch. 

industry-standard  technology 
such  as  Intel *  Xeon ”  processors. 


Dell  |  Enterprise 

In  a  recent  Dell  test,  running  Oracle®  9/  on  a  Dell  server  solution  had  anywhere  from  a  3x  to  8x 
price/performance  advantage  over  Sun!  Whether  using  an  Intel®  Xeon'"  processor-based  4P  PowerEdge'” 
6650  or  2P  PowerEdge  2650,  the  Dell  solution  was  faster  and  less  expensive  than  a  Sun  Fire  V480  solution. 
To  see  complete  test  results,  go  to  www.dell.com/migration11. 

There's  little,  if  any,  debate:  Migrating  from  UNIX  to  a  standards-based  solution  lowers  TCO.  The  real 
questions  are  "How  does  it  perform?!'  "How  much  will  it  lower  TCO?"  and  "Who  do  we  turn  to?"  Well,  when 
you  migrate  to  open  standards,  remember  this:  Dell  gives  you  both  mind-bending  performance  and 
unparalleled  expertise,  at  a  TCO  so  small  you'll  need  a  microscope  to  find  it.  And  the  entire  solution  is 
backed  by  enterprise  level,  24/7  service  and  support. 

The  migration  is  on.  Find  out  how  you  can  make  the  most  of  it  for  your  organization.  Call  1-877-439-DELL, 
or  go  to  the  Dell  UNIX  Migration  online  calculator  at  www.dell.com/migration11  to  see  how  a  Dell  solution 
can  lower  your  migration  costs  and  help  simplify  the  transition. 


Get  more  out  of  your  enterprise  for  less.  Easy  as 


D0LL 


Click  www.dell.com/migration11  Call  1-877-439-DELL 

toll  free 

Tests  by  Dell  in  January  2003  on  baseball  database.  Dell  configurations:  Dell  PowerEdge  6650  server  with  four  2.0  GHz  Xeon  MP  processors,  Red  Hat  Linux  Advanced  Server  2.1 .  3  Year  Gold  Support.  Price:  $32,701  (www.dell.com,  1/20/03] 
and  Dell  PowerEdge  2650  server  with  two  2.8  GHz  Xeon  DP  processors,  4GB  memory.  Windows  2000  Server,  3  Year  Gold  Support.  Price:  $9,324  (www.dell.com,  2/10/03).  Sun  configuration:  Sun  Fire  V480  server  with  four  900  MHz  UltraSPARC 
III  processors,  Solaris  9  (12/02  version).  Price:  $53,796  (www.sun.com,  3/17/03],  3  Year  Gold  Support.  For  details  and  results,  see:  www.dell.com/migration, 

Intel,  the  Intel  logo  and  Xeon  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Dell,  the  Dell  logo  and  PowerEdge  are  registered  trademarks  of  the  Dell  Computer 
Corporation.  ©2003  Dell  Computer  Corporation.  All  rights  reserved. 


They’ve  outsourced  so  much  of  their  process 
that  they  no  longer  have  the  expertise  to 
understand  how  it  all  comes  together.  Lever¬ 
age  your  resources  as  much  as  you  want, 
but  keep  the  integrators  inside. 

Number  two:  Don’t  think  of  technology 
integration  as  an  administrative  task.  The 
challenge  of  managing  the  integration 
process  runs  simultaneously  with  the  chal¬ 
lenge  of  figuring  out  how  to  integrate. 
You’ve  got  to  understand  how  the  tech¬ 
nologies  come  together,  which  is  not  the 
same  as  putting  a  person  with  expertise  in 
Technology  A  with  a  person  with  expertise 


Q&A  |  Marco  lansiti 

What  you  want  to  do  is  build  an  engine 
that  can  do  this  systematically — scan  the 
environment  for  technologies  coming  in, 
understand  scenarios  on  the  customer  side, 
define  the  technology  or  product  plan,  and 
determine  what  projects  to  do.  In  compa¬ 
nies  that  do  this  best,  the  process  is  like  an 
engine.  The  method  may  have  a  time  scale 
of  a  month  or  every  quarter  or  every  year 
where  you  resurface  and  select  which  [tech¬ 
nology]  you  want  to  win  the  next  phase. 
You  pull  it  together,  integrate  and  deploy, 
and  come  up  for  air  again.  It’s  a  repeatable 
process.  It’s  structuring  the  unstructurable. 


“If  everybody  deploys  SAP  or  everybody  deploys 
Siebel,  that’s  not  going  to  be  your  competitive 
advantage.  But  the  way  you  use  it  and  the  way 
you  connect  it  to  different  systems— that  keeps 
you  unique.”  -marco  iansui 


in  Technology  B.  We’re  talking  about  the 
cult  of  the  architects.  They  understand  the 
interactions  among  different  system  compo¬ 
nents  and  can  figure  out  how  to  design  the 
whole  to  best  manage  that  interaction. 

The  third  piece  is  experimentation.  We’ve 
found  people  underinvesting  in  experimen¬ 
tation.  Integration  is  hard.  One  way  it  blows 
up  is  when  you  finally  pull  everything 
together.  Experimentation,  however,  is  eas¬ 
ier  because  many  assets  are  external.  Let’s 
say  you’re  thinking  about  whether  to  deploy 
CRM.  You  don’t  have  to  do  this  humongous 
internal  project.  You  pick  a  target  business  to 
run  a  trial,  get  an  On  Demand  version  of 
CRM  from  IBM,  and  try  it  out  for  three 
months.  If  it  goes  well,  you  get  a  contract  or 
bring  it  in  internally.  If  it  doesn’t,  you  throw 
it  out. 

In  every  study  we’ve  done,  people  who 
experimented  more  have  always  done  better. 

Does  a  company  ever  finish  integrating? 

Can  a  CIO  ever  say,  There,  I’m  done? 

Do  you  ever  hit  the  end  of  innovation?  Do 
you  know  when  it’s  done? 


Wayne  Gretzky  said  he  was  successful 
because  he  didn't  skate  to  where  the  puck 
was  but  where  it  was  going  to  be.  Where’s 
the  puck  going  to  be  for  CIOs? 

There’s  actually  a  Franz  Klammer  [Olympic 
gold  medalist]  analogy  for  that.  When  they 
clocked  him  skiing  on  any  individual  part 
[of  the  race  course],  he  was  not  the  fastest. 
The  only  part  where  he  was  fastest  was 
coming  out  of  the  turns.  He  wasn’t  braking 
as  much  as  the  others.  You  can  think  of  him 
as  having  a  better  view  of  the  system,  so 
overall,  he  was  faster. 

It’s  not  so  much  understanding  where  the 
puck  is  going  to  be  but  having  a  view  of  the 
game  that  enables  you  to  look  outside  and 
have  the  best  understanding  of  how  the 
game  is  played.  It’s  always  the  system  and 
how  technology  works  within  the  system 
that  makes  the  difference.  Look  at  the  global 
picture.  Look  outside  and  figure  out  where 
the  business  is  going.  That  will  tell  you 
where  the  technology  is  going.  EH 


Please  integrate  your  thoughts  with  Marco  lansiti's  by 
contacting  Features  Editor  Late  Low  at  llow@cio.com. 


mm 


Visit  www.dell.com/migration11  and  go  to 
the  Dell  UNIX  Migration  online  calculator  for 
a  free  migration  assessment.  A  Dell  UNIX 
migration  solution  comes  complete  with 
end-to-end  Fast  Track  Migration  services 
covering  applications  such  as  Oracle,  C/C++, 
Sybase  to  SQL  Server,  Java  and  a  full  range 
of  Web  applications. 


Call  1-877-439-DELL  today  to  speak  with  a  Dell 
representative.  Together,  you  can  assess 
your  individual  needs  and  then  develop  a 
cost-effective  plan  for  UNIX  migration. 


Easy  as 


D«U 


Call  1-877-439-DELL 

toll  free 

Click  www.dell.com/migration11 


www.cio.com  •  MAY  15,  2003  CIO  91 


GE  Industrial  Systems  CIO  Stuart  Scott 
saw  opportunity  in  a  PLM  prototype 
being  tested  by  the  engineering  group. 
He  ran  with  the  concept  and  is  now  the 
official  promoter  of  PLM  to  GE’s  other 
divisional  CIOs. 


Product  Lifecycle  Management 


PLM  aims  to  streamline  product  development  and  boost  innovation 
in  manufacturing.  But  it  won’t  be  easy  or  cheap.  Here’s  what  CIOs 
need  to  do  about  this  latest  buzzword  technology. 


there’s  a 


BY  BETH  STACKPOLE 


in  town 


CIOS  KNOW  ABOUT  ERP, 


o 

Z> 


< 

CD 


CD 

O 


O 

X 


Reader  ROI 

►  The  uses  of  PLM  software 
suites  for  manufacturing 
companies— now  and  in  the 
near  future 

►  The  CIO’s  initial  roles  of 
chief  architect  and  change 
agent  for  PLM 

►  Whether  your  company 
needs  PLM 


CRM,  SCM  AND  OTHER  ENTERPRISEWIDE,  ENERGY-SAPPING,  THREE-LETTER  ACRONYMS. 

Well,  it’s  now  time  to  come  up  to  speed  on  another:  PLM,  short  for  product  lifecycle  man¬ 
agement.  Even  in  this  downturn,  manufacturing  companies  across  myriad  industries  are  invest¬ 
ing  in  PLM  application  suites — to  the  tune  of  $2.3  billion  this  year,  according  to  AMR 
Research.  Why  are  these  pioneers  willing  to  take  the  risk,  particularly  when  they’ve  been 
burned  before  on  comparable,  large-scale  software  rollouts?  Because  they  see  PLM’s  potential 
to  vastly  improve  a  company’s  ability  to  innovate,  get  products  to  market  and  reduce  errors. 

PLM  applications  hold  the  promise  of  seamlessly  flowing  all  of  the  information  produced 
throughout  all  phases  of  a  product’s  life  cycle  to  everyone  in  an  organization,  along  with  key 
suppliers  and  customers.  An  automotive  company  or  aerospace  manufacturer,  for  exam¬ 
ple,  can  shrink  the  time  it  takes  to  introduce  new  models  in  a  number  of  ways.  Product  engi¬ 
neers  can  dramatically  shorten  the  cycle  of  implementing  and  approving  engineering  changes 
across  an  extended  design  chain.  Purchasing  agents  can  work  more  effectively  with  suppli¬ 
ers  to  reuse  parts.  And  executives  can  take  a  high-level  view  of  all  important  product  infor¬ 
mation,  from  details  of  the  manufacturing  line  to  parts  failure  rates  culled  from  warranty  data 
and  information  collected  in  the  field. 

Getting  to  this  promised  land,  however,  takes  a  lot  of  work  on  the  part  of  the  CIO — per¬ 
haps  even  more  than  with  other  enterprise  application  deployments.  Unlike  ERP  packages. 


www.cio.com  •  MAY  15,  2003  CIO  93 


Product  Lifecycle  Management 


which  are  typically  used  to  replace  various 
outdated  systems,  PLM  requires  integrating 
many  siloed  databases  and  getting  people 
from  different  business  functions  to  work 
together  better.  PLM  is  not  so  much  a  sys¬ 
tem  as  a  strategy — for  integrating  and  shar¬ 
ing  information  about  products  between 
applications  and  among  different  con¬ 
stituencies  such  as  engineering,  purchasing, 
manufacturing,  marketing,  sales  and  after- 
market  support. 

Because  PLM  grew  out  of  product  design 
software,  CIOs  sometimes  defer  on  it  to  engi¬ 
neering  executives,  who  traditionally  have 
managed  their  own  technology  rollouts. 
While  this  hands-off  approach  works  for 
choosing  point  solutions  like  CAD  tools,  it 
doesn’t  fly  for  a  companywide,  integrated 
platform.  Different  business  functions  gener¬ 
ate  product  data  and  deal  with  it  in  disparate 
ways.  Manufacturing  and  engineering,  for 
instance,  work  with  different  versions  of  a 
bill  of  materials — a  listing  of  parts  and  sub- 
assemblies  making  up  a  product — as  does 
purchasing,  which  also  relies  on  approved 
vendor  lists  and  catalogs. 

For  PLM  to  bear  fruit,  CIOs  need  to 
address  touchy  issues  such  as  establishing 
data  standards  and  designing  a  corporate 
integration  architecture  so  that  formerly 
fragmented  information  can  be  served  up  to 
individuals  in  a  format  they  can  use.  That 
way,  people  in  various  divisions  are 
equipped  to  make  key  decisions — such  as 
what  products  to  introduce  or  what  features 


to  include  in  a  product’s  design  phase — 
when  they  are  most  cost-effective,  rather 
than  midstream  in  the  parts  procurement 
stage  or  even  during  manufacturing. 

Without  the  CIO’s  early  guidance  on 
product  lifecycle  management,  on  the  other 
hand,  “there’s  a  much  higher  probability 
that  each  functional  tower  would  decide  on 
what’s  best  for  them  rather  than  searching 
for  a  global  solution,”  says  Dennis  Charest, 
vice  president  of  e-business  and  IT  at  Hamil¬ 
ton  Sundstrand,  a  $3.4  billion  aerospace  and 
industrial  products  subsidiary  of  United 
Technologies.  The  result  of  decentralized 
decision  making  would  be  a  standards  mess 
and  a  giant  cleanup  job  for  you-know-who. 

CIOs  can  best  avoid  this  trap  by  acting 
as  both  chief  architects  for  the  PLM  strategy 
and  leaders  of  change.  The  first  task  is  to 
draw  up  the  technology  road  map,  devising 
the  infrastructure  to  support  cross¬ 
application  integration  and  helping  select  the 
right  vendor  (see  “Shopping  Tips  for  the 
Vendor  Bazaar,”  Page  98).  The  next  job  is  to 
lead  the  troops,  with  the  help  of  key  busi¬ 
ness  execs,  through  the  laborious  process  of 
changing  the  way  they  work.  Finally,  given 
the  constraints  of  today’s  economy,  respon¬ 
sibility  falls  to  CIOs  to  identify  the  areas 
where  PLM  can  deliver  the  most  immediate 
results.  “This  is  yet  another  thing  that’s 
going  to  cost  big  money,”  says  Kevin 
O’Marah,  vice  president  of  PLM  at  AMR 
Research.  “It’s  up  to  the  CIO  to  watch  out 
for  where  PLM  can  really  be  meaningful.” 


PRODUCT  LIFECYCLE  MANAGEMENT  is  an  integrated,  information-driven 
approach  to  all  aspects  of  a  product’s  life,  from  its  design  through  manufacture, 
deployment  and  maintenance— culminating  in  the  product’s  removal  from  service 
and  final  disposal.  PLM  software  suites  enable  accessing,  updating,  manipulating 
and  reasoning  about  product  information  that  is  being  produced  in  a  fragmented  and 
distributed  environment.  Another  definition  of  PLM  is  the  integration  of  business 
systems  to  manage  a  product’s  life  cycle. 

SOURCES:  UNIVERSITY  OF  MICHIGAN  PLM  DEVELOPMENT  CONSORTIUM,  ARC  ADVISORY  GROUP 


IVf  CIO  Stuart  Scott  sold  GE 

Industrial  Systems  on  PLM.  For 
M  the  next  two  weeks,  you  can 
f  ASK  SCOTT  YOUR 
m  QUESTIONS  or  share  your 
own  advice  at  ASK  THE  SOURCE  on  sell¬ 
ing  a  great  idea  to  the  whole  company. 

Find  the  page  at  www.cio.com/ask. 

cio.com 


Chief  Architect 
and  Change  Agent 

PLM  is  a  tall  order  for  CIOs,  one  that  a  few 
are  just  starting  to  address.  Industries  such  as 
automotive,  consumer-packaged  goods  and 
aerospace  are  taking  the  lead,  but  even  there, 
most  companies  are  in  the  early  phases  of 
deployment.  The  most  common  starting 
point  is  in  engineering — creating  collabora¬ 
tive  design  platforms  and  streamlining  the 
engineering  change  order  (ECO)  process.  The 
next  steps  usually  deal  with  bringing  efficien¬ 
cies  to  supplier  relationships.  Still  relatively 
unproven  is  integrating  customer  require¬ 
ments  information  and  post-sales  data  about 
products  into  the  broader  PLM  picture. 

“We’re  in  the  real  early  stages,”  says 
Michael  Grieves,  director  of  IT  programs  for 
the  Center  for  Professional  Development  at 
the  University  of  Michigan’s  College  of  Engi¬ 
neering.  “Most  of  this  is  still  collaborative 
engineering.  You  don’t  yet  see  pieces  of 
information  from  beyond  the  factory  door 
being  tied  back  in.”  To  foster  research  and 
education  on  PLM  best  practices,  Grieves  has 
helped  establish  the  university’s  PLM  Devel¬ 
opment  Consortium,  which  initially  will 
explore  use  of  the  technology  in  the  automo¬ 
tive  sector.  Industry  heavyweights  such  as 
Ford  Motor,  Johnson  Controls  and  Lear  are 
among  the  charter  sponsors,  paying  as  much 
as  $25,000  annually  to  support  the  research. 

Lear,  a  $14.4  billion  automotive  supplier, 
is  taking  this  kind  of  stake  in  PLM  because 
Vice  President  of  IT  and  CIO  John  Crary 
views  it  as  a  way  to  more  effectively  man¬ 
age  Lear’s  product  development  efforts  for 


94  CIO  MAY  15,  2003  •  www.cio.com 


PHOTOS  BY  GALE  ZUCKER 


LM  WAS  A  TRILATERAL  sales  job, 
and  my  most  important  role  was  to 
act  as  change  agent. 

-DENNIS  CHAREST,  VP  OF  E-BUSINESS  AND  I.T. 
AT  HAMILTON  SUNDSTRAND 


its  customers — the  leading  car  manufactur¬ 
ers,  which  contract  with  Lear  for  interior  sys¬ 
tems  such  as  seating,  instrument  panels  and 
electronics.  Crary  says  he  wants  to  give  Lear 
customers  a  “laserlike  focus”  about  their 
projects  throughout  the  development  cycle, 
which  can  run  anywhere  from  a  few  weeks 
to  18  months.  In  the  past,  project  informa¬ 
tion  was  conveyed  in  an  ad  hoc  manner  via 
spreadsheets  and  e-mail,  and  it  was  often 
inconsistent,  Crary  says.  Now,  using  tools 
from  EDS  PLM  Solutions,  Lear  has  built  the 
underpinnings  of  a  system  that  will  give  car- 
makers  a  constant  flow  of  information  about 
their  projects — everything  from  engineering 
schedules  to  part  changes  to  quality  statis¬ 
tics— -beginning  with  current  vehicle  models. 

Crary’s  initial  role  with  PLM  was  that  of 
change  agent,  working  with  engineering  to 


sell  the  business  case  to  senior  management. 
From  there,  Crary  helped  oversee  a  cross¬ 
functional  PLM  project  team  charged  with 
mapping  and  defining  common  business  pro¬ 
cesses.  Hamilton  Sundstrand’s  Charest  took 
similar  steps.  With  the  engineering  and  oper¬ 
ations  groups  as  cosponsors,  he  launched  a 
campaign  to  sell  the  benefits  of  PLM  to  the 
company’s  different  constituencies.  The  cam¬ 
paign  included  videotapes  that  talked  up  how 


PLM  would  improve  the  jobs  of  product 
developers,  manufacturing  personnel  and 
post-sales  support  staff.  “It  was  a  trilateral 
sales  job,  and  my  most  important  role  was 
to  act  as  change  agent,”  says  Charest.  Had  he 
shied  away  from  that  task,  PLM  would  never 
have  taken  root  as  an  enterprise  solution,  he 
says.  The  first  fruits  of  PLM  at  Hamilton 
Sundstrand  are  more  interchangeable  parts, 
flexibility  in  engineering  job  roles  and  a 
reduction  in  ECOs  by  as  much  as  15  percent. 

CIO  Stuart  Scott  orchestrated  a  wholesale 
campaign  to  sell  GE  Industrial  Systems  on 
PLM.  What  started  as  a  little-known  engi¬ 
neering  foray  into  product  development  man¬ 
agement  (termed  PDM,  which  is  a  narrower, 
engineering-focused  version  of  PLM)  became 
the  star  attraction  of  Scott’s  biweekly  com¬ 
munique  highlighting  IT  successes.  But  Scott 
had  more  in  mind  than  just  giving  accolades 
to  the  engineering  department.  He  believed 
what  was  happening  in  that  microcosm  had 
ramifications  for  all  business  functions  within 
the  $5  billion  manufacturer  of  industrial,  elec¬ 
trical,  and  security  systems  and  services — 
even  for  its  parent  General  Electric. 

Instead  of  leaving  engineering  to  its  own 
devices,  Scott  took  the  project  under  his 
wing.  That  involved  sending  e-mails  and 
even  making  a  webcast  talking  up  the 
virtues  of  a  broader  vision  of  PDM — that 
is,  PLM.  Engineering  became  Scott’s  poster 
child  for  what  was  possible.  “What  I  did  is 
help  engineering  be  successful  with  PDM, 
and  that  gave  us  the  power  to  drive  the  tech¬ 
nology  across  the  business,”  he  explains. 

Prove  the  Value  of  PLM 

Once  there’s  buy-in  on  PLM  from  the  busi¬ 
ness  units,  it’s  up  to  CIOs  to  help  determine 
where  the  biggest  opportunities  lie.  Susan 

www.cio.com  •  MAY  15,  2003  CIO  95 


It’s  up  to  CIOs  and  CIOs  alone  to 
ensure  that  PLM  becomes  useful 
for  the  entire  enterprise,  says 
Dennis  Charest. 


Product  Lifecycle  Management 


Kampe,  vice  president  and  general  manager 
of  IT  for  the  $15  billion  Automotive  Systems 
Group  of  Johnson  Controls,  focused  her  early 
PLM  efforts  on  product  design  and  launch, 
her  goal  being  to  keep  up  with  the  time-to- 
market  pressures  of  the  major  carmakers. 

When  Kampe  came  on  board  in  Decem¬ 
ber  2001,  a  more  narrowly  focused  PDM 
project  was  a  year  behind  schedule.  She  and 
other  executives  made  sweeping  changes, 
bringing  in  a  seasoned  IT  program  manager 
(who  was  also  a  former  CIO  at  another 
company)  to  oversee  the  bigger  PLM  strat¬ 
egy.  To  the  all-engineer  project  team,  John¬ 
son  Controls  added  representatives  from 
different  business  functions,  such  as  pur¬ 
chasing  and  sales  units,  and  established  a 
cross-functional  steering  committee,  which 
included  senior  managers.  The  biggest  chal¬ 
lenge  was  getting  stakeholders  across  func¬ 
tions  to  agree  on  common  business  pro¬ 
cesses,  Kampe  says.  “These  are  gut-level 
changes.  It’s  not  about  IT  telling  business 
what  to  change,  but  about  IT  and  business 
teaming  together  to  work  through  how 
things  should  run.” 

In  this  economic  downturn,  IT  leaders 
should  keep  PLM  activity  focused  on  imme¬ 
diate  results.  Senior  management  wants 
nothing  to  do  with  multimillion-dollar, 
multiyear  deployments.  “Things  are  tough 
at  the  moment,  and  while  you’re  trying  to 
invest  in  new  capabilities,  you’ve  got  to  do 
so  within  the  boundaries  of  profitability,” 
says  Mike  Webb,  senior  vice  president  of 
information  technology  and  CIO  at  Flex¬ 
tronics,  a  $13  billion  electronics  manufac¬ 
turing  services  provider. 

Flextronics’  customers,  mostly  high-tech 
and  electronics  manufacturers,  face  extreme 
time-to-market  pressures.  As  their  design  and 
manufacturing  partner,  Flextronics  can’t 
afford  the  weeklong  delay  that  used  to  come 
with  approving  every  engineering  change, 
which  can  number  several  hundred  for  a  sin¬ 
gle  product.  “All  the  [product  information] 
was  nonintegrated  and  prone  to  a  lot  of 
error,”  Webb  explains.  “We  needed  to  cut 
back  the  processes  for  ECOs  to  less  than  a 
day,  and  that  gave  us  a  very  focused  point 


to  start  with.”  Using  a  PLM  application 
from  Agile  Software,  Flextronics  has  accom¬ 
plished  just  that.  The  next  steps  are  to  inte¬ 
grate  some  supplier  management  capabilities, 
such  as  requests  for  quotes  and  quality  track¬ 
ing  tools,  across  the  enterprise. 

Webb,  like  other  CIOs  leading  the  way  on 
PLM,  is  charged  with  creating  and  enforcing 
data  standards  so  that  information  can  flow 
freely  among  systems.  He  has  appointed  a 
team  to  make  sure  that  the  80-plus  Flextron¬ 
ics  facilities  adhere  to  PLM  nomenclature 
detailed  in  a  corporate  data  handbook. 

But  data  standardization  doesn’t  have  to 
be  a  constraint.  At  Ford,  the  goal  is  to 
choose  an  architecture  that  allows  different 
data  standards  to  coexist,  says  Richard  Riff, 
a  Ford  technical  fellow  overseeing  the  com¬ 


pany’s  PLM  project.  A  large,  decentralized 
company  like  Ford  would  be  mistaken  to 
insist  on  a  single  PLM  database,  says  Riff, 
who  reports  to  CIO  Marv  Adams  at  Ford 
headquarters.  Ford  is  in  the  early  stages  of 
architecting  its  PLM  data — but  regardless  of 
how  the  task  is  accomplished,  responsibil¬ 
ity  for  data  clearly  falls  on  the  CIO’s 
shoulders,  says  Riff.  “A  major  task  of  the 
CIO  is  to  reconcile  silos  of  information  into 
one  set  of  cohesive  requirements  and  prod¬ 
uct  descriptions.” 

Shape  the  PLM  Market 

As  Riff  sees  it,  CIOs  should  cultivate  rela¬ 
tionships  with  key  PLM  vendors  to  ensure 
their  companies’  needs  are  being  met  in 
follow-on  products — such  as  was  the  case 


96  CIO  MAY  15,  2003  •  www .cio .com 


PHOTO  BY  DWIGHT  CENDROWSKI 


FREE  White  paper! 

Avoiding  Costs  from 
Oversizing 

Data  Center  Infrastructure 

Just  mail  or  fax  this  completed 
coupon  or  contact  APC  for  your  FREE 
white  paper  -  On  Avoiding  Costs 
from  Oversizing  Data  Center 
Infrastructure.  Also  receive  our  FREE 
Infra StruXure”  brochure.  Better  yet, 
order  both  today  at  the  APC  Web  site! 

I 

I 

I 

I 

Key  Code 

http://promo.apc.com  k2 1 3y 

(888)  289-APCC  x2785  •  FAX:  (401)  788-2797 


I 

l 

I 

I 


rnrr  i  ■  n  ■.  .  Avoiding  Costs  from  Oversizing 

rntt  White  paper!  Data  Center  Infrastructure 

□  YES!  Please  send  me  my  FREE  white  paper  and  InfraStruXure™  brochure. 

□  NO,  I'm  not  interested  at  this  time,  but  please  add  me  to  your  mailing  list. 


Name:  Title: 


Company: 

Address: 

Address  2: 

City/Town: 

State: 

Zip: 

Country: 

Phone: 

Fax: 

E-mail: 

j  Yes!  Send  me  more  information  via  e-mail  and  sign  me  up  for  APC  PowerNews  e-mail  newsletter.  Key  Code  k213y 


What  type  of  availability  solution  do  you  need? 

□  UPS:  0-1 6kVA  (Single-phase)  □  UPS:  1 0-80kVA  (3-phase  AC)  □  UPS:  80+  kVA  (3-phase  AC)  □  DC  Power 

□  Network  Enclosures  and  Racks  □  Precision  Air  Conditioning  □  Monitoring  and  Management  □  CablesAA/ires 

□  Mobile  Protection  □  Surge  Protection  □  UPS  Upgrade  □  Don't  know 

Purchase  timeframe?  □  <  1  Month  □  1-3  Months  □  3-12  Months  □  1  Yr.  Plus  □  Don't  know 
You  are  (check  1):  □  Flome/Home  Office  □  Business  (<1 000  employees)  □  Large  Corp.  (>1000  employees) 

□  Gov't.,  Education,  Public  Org.  □  APC  Sellers  &  Partners 


©2003  APC.  All  trademarks  are  the  property  of  their  owners.  APC1  C3EB-US_2C  • 


Legendary  Reliability™ 


E-mail:  esupport@apcc.com 


132  Fairgrounds  Road,  West  Kingston,  Rl  02892  USA 


BUSINESS  REPLY  MAIL 

FIRST-CLASS  MAIL  PERMIT  NO.  36  WEST  KINGSTON,  Rl 
POSTAGE  WILL  BE  PAID  BY  ADDRESSEE 


AMERICAN  POWER  CONVERSION 


ATTENTION  CRC:  k213y 
Department:  B 
132  FAIRGROUNDS  ROAD 
PO  BOX  278 

WEST  KINGSTON  Rl  02892-9920 


1 . 1 1 1 1 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 . 1 . 1 1 1 1 . 1 1 1 1 . 1 1 1 1 1 1 1 . 1 . 1 1 


NO  POSTAGE 
NECESSARY 
IF  MAILED 
IN  THE 

UNITED  STATES 


Howto 
Contact  APC 

Call:  (888)  289-APCC 

use  the  extension  on  the 
reverse  side 

Fax:(401)  788-2797 

Visit:  http://promo.  ap  c.  com 
use  the  key  code  on  the  reverse 
side 


Legendary  Reliability" 


you  really  as 
we  think  you 


As  racks  become  increasingly  popu¬ 
lated  with  thinner,  deeper  servers, 
high  power  densities  in  your  server 
room  or  data  center  can  create 
havoc,  from  early  equipment  failures 
to  expensive,  forget-about-your-jjob- 
security  downtime. 

Introducing  InfraStruXure™  architec¬ 
ture,  the  industry's  only  patent-pend¬ 
ing,  network-critical  physical  infra¬ 
structure.  InfraStruXure™  lets  you 
target  power  and  cooling  precisely 
where  your  mission-critical  applica¬ 
tions  live— the  rack  enclosure. 

And  because  InfraStruXure  architec¬ 
ture  uses  a  modular,  manageable,  pre¬ 
engineered  approach,  you  can  select 
standardized  components  to  create 
your  own  customized  solutions. 

Which  means  you  can  target  avail¬ 
ability,  pay  as  you  grow,  adapt  to 
change,  and  maximize  efficiency 
while  minimizing  installation,  operat¬ 
ing,  service,  and  maintenance  costs. 


[hot  air] 


lnfraStru>\ure 


J(u 


On-demand  scalable,  manageable, 
pre-engineered  solutions 


[power 


[cold  air] 


High  power  densities  can  create  hot 
spots,  which  cause  equipment  failures 
and  expensive  downtime. 


InfraStruXure's  advanced  cooling 
components  help  remove  heat  from 
your  servers  and  target  air  circulation 
where  it  is  most  needed. 

Air  components  designed  for 
InfraStruXure ”  are  manageable  via 
network  technology,  and  feature  a 
modern,  reliable  design  with  fewer 
moving  parts. 


/  \ 

"Our  Video  on  Demand  (VOD) 
servers  are  air  cooled  from  front 
to  back.  The  APC  racks  that 
house  the  InfraStruXure  are  also 
designed  to  cool  from  front  to 
back.  So  the  same  racks  can 
effectively  house  our  power  sys¬ 
tem  and  our  servers. " 

Vince  Pombo 

Vice  President  of  Engineering 

Rich  Flanders 

Director  of  Engineering 

Time  Warner  Cable 

"If  I  had  purchased  the  incum¬ 
bent  vendor's  3-phase  upgrade 
model,  I  would  have  paid  75% 
more  in  service  costs  over  the 
next  four  years  and  I  would 
have  had  to  utilize  50%  more  of 
my  precious  floor  space." 

Captain  Timothy  Riley 

Support  Services  Division 

City  of  Newport  Beach  Police  Department 

v _ _ _ y 


POWER  RACK  AIR 


In  times  like  these,  it  pays  to  think 
smart.  For  more  information  on 
InfraStruXure's  open,  adaptable, 
integrated  approach  to  network- 
critical  physical  infrastructure,  visit 
us  online  today  at  www.apc.com. 


"Communications 

SOLUTIONS 


Product  0!  Tse  Year  k 

Ne 

:w  Technolog 

y 

Awards  »,ro 

W 

Winner  of  the  Windows  and  .Net  Magazine  "2002  Reader's 
Choice  Award  for  Best  High  Availability  Solution ",  the  GCN 
“Best  New  Technology  Award"  at  FOSE,  March  2002. 
I Awarded  to  PowerStruXure”,  which  is  now  included  under 
the  InfraStruXure”  brand.)  Winner  of  the  Communications 
Solutions  Magazine's  "2002  Product  of  the  Year"  award. 


AFTER 


InfraStruXure™  lets  you  build  out  capacity 
only  as  it's  required.  Save  up  to  50% 
CapEx  and  20%  OpEx*,  and  reclaim  an 
average  of  20%  usable  space. 
InfraStruXure  AIR  delivers  cooling 
directly  where  it  is  needed,  eliminating 
dangerous  hot  spots. 


BEFORE 


Equipment  Racks 


Batteries 


UPSs 


Traditional  data  centers  are  built  out 
for  future  capacity  and  require  a 
large  amount  of  floor  space  that 
could  be  otherwise  utilized.  High 
power  density  racks  create  danger¬ 
ous  hot  spots. 


For  a  closer  look  at  InfraStruXure ™,  attend  a  FREE  APC  Executive  Breakfast 
Seminar  in  your  area.  For  more  information  visit:  http-y/promo.apc.com 
and  enter  key  code  below. 


Every  product  carrying  this  mark  has 
been  tested  and  certified  for  use  with 
InfraStruXure™  architecture.  Before 
you  buy,  check  for  the  X  to  guarantee 
product  compatibility. 


Legendary  Reliability 


'  Representative  savings  based  on  projected  power  infrastructure  build-out  costs  and  estimated  service  cost  per  unit.  Actual  savings  may  vary. 


rnrr  White  Paper  on  "Avoiding  Costs  from  Oversizing  Data  Center 
rrlLL  Infrastructure"  and  Free  InfraStruXure™ Brochure 

Visit  http://promo.apc.com  Key  Code  k213y  •  Call  888-289-APCC  x2785  •  Fax  401-788-2797 

©2003  American  Power  Conversion  Corporation.  All  Trademarks  are  the  property  of  their  owners.  E-mail:  esupport@apcc.com  •  132  Fairgrounds  Road,  West  Kingston,  Rl  02892  USA  ISX1B3EF-US 


Product  Lifecycle  Management 


Shopping  Tips  for  the 


Vendors  offering  the  full  complement  of  PLM  functionality 
come  from  different  worlds.  Here’s  how  they  stack  up 
now,  but  analysts  predict  some  consolidation  among 
the  players  in  coming  months. 

DESIGN  VENDORS.  These  companies  hail  from  the  engineering  space  and  have 
added  to  their  design-focused  product  data  management  applications  to  support 
additional  manufacturing  and  operations-oriented  business  processes.  Companies  in 
this  space  include  EDS  PLM  Solutions,  Framework  Technologies,  MatrixOne,  the 
I  BM/Dassault  Systemes  partnership  and  PTC.  Their  products  tend  to  have  a  strong 
engineering  foundation  and  thus  have  gained  a  strong  early  following  from  product- 
oriented  companies,  which  see  product  lifecycle  management  (PLM)  as  a  way  to 
increase  collaboration  and  improve  management  of  engineering-specific  data.  These 
vendors  are  a  good  pick  for  companies  with  design-centric  PLM  requirements. 

ENTERPRISE  VENDORS.  ERP  players  such  as  Baan,  Eigner,  Oracle,  PeopleSoft  and 
SAP  are  extending  their  enterprise  suites  with  PLM  components.  If  you’ve  got  ERP 
and  like  the  idea  of  a  single-source  supplier,  it’s  probably  worth  a  look  at  their  offer¬ 
ings.  These  PLM  products  link  to  financial  and  manufacturing  systems  (mostly  the 
vendors’  own,  of  course)  and  include  supplier  management  capabilities  and  hooks 
to  customer  data  in  CRM  systems.  Still,  since  most  PLM  deployments  begin  by  try¬ 
ing  to  solve  engineering-oriented  problems,  these  vendors’  PLM  offerings  are  not 
yet  in  widespread  use. 

THE  NEWCOMERS.  Companies  such  as  Agile  Software  and  Arena  Solutions  were 
created  for  the  sole  purpose  of  providing  an  extended  PLM  platform.  These  tools 
generally  balance  design  and  manufacturing  functionality.  -B.S. 


in  the  early  days  of  ERP  software.  Ford 
maintains  partnerships  with  its  PLM  ven¬ 
dors,  IBM,  Dassault  Systemes  and  EDS 
PLM  Solutions,  through  which  it  gives  input 
into  the  evolution  of  their  products.  By 
working  closely  with  vendor  MatrixOne, 
Johnson  Controls  merged  its  initial  PLM 
implementation,  which  was  essentially  a  cus¬ 
tom-built  toolkit,  with  the  software  com¬ 
pany’s  packaged  application  suite.  This 
linkage  made  MatrixOne’s  suite  more  useful 
for  the  automotive  industry  as  a  whole, 
Johnson  Control’s  Kampe  says. 

Procter  &  Gamble  has  also  leveraged  its 
connection  with  a  vendor  to  get  the  PLM 
customizations  it  requires.  Robert  Dixon, 
vice  president  of  IT  for  P&G’s  Baby,  Femi¬ 
nine  and  Family  Care  division,  was  one  of 
the  initial  sponsors  of  the  company’s  early 
PLM  efforts.  He  talked  up  EDS’s  PLM 
group  to  other  P&G  divisional  CIOs  and 
top  management.  As  a  result  of  its  work 
with  P&G,  EDS  PLM  Solutions  recently 
came  out  with  a  version  of  its  PLM  suite  tai¬ 
lored  specifically  to  consumer-packaged 
goods  makers.  “We  wouldn’t  have  the  rela¬ 
tionship  with  EDS  today  without  [Dixon’s 
advocacy],”  says  Tom  Massung,  P&G’s 
associate  director  for  IT  business  solutions 
PLM.  “And  we’d  still  be  hunting  and  peck¬ 
ing,  buying  2,000  to  3,000  licenses  at  a  time 
and  spending  more  money.”  As  a  result  of 
the  partnership  with  EDS,  P&G  plans  to 
increase  its  current  installed  base  of  more 
than  8,000  licenses  of  EDS’s  TeamCenter 
PLM  offering  to  a  potential  20,000  users 
during  the  next  five  years,  Massung  says. 

At  GE  Industrial  Systems,  the  concerted 
campaign  by  CIO  Scott  to  promote  PLM 
has  led  to  a  multistage  implementation 


based  on  MatrixOne’s  product.  After  the 
PDM  foundation  was  put  in  place,  Scott, 
with  guidance  from  a  PLM  steering  com¬ 
mittee,  began  work  on  a  document  man¬ 
agement  system  for  coordinating  more  than 
18  million  purchase  orders,  intellectual 
property  licenses,  contracts,  correspondence 


and  the  like.  Next  up  is  integrating  sourc¬ 
ing  applications  and  project  management 
capabilities.  There  are  numerous  other  pos¬ 
sibilities  to  explore,  he  says. 

Scott’s  enthusiasm  for  PLM  derives  not 
from  the  technology  but  from  the  implica¬ 
tions  for  the  business.  He’s  now  the  official 
promoter  of  PLM  to  GE’s  divisional  CIOs. 
Says  Scott:  “There’s  opportunity  there  if 
CIOs  can  open  their  eyes  and  look  at  PLM 
as  a  change  management  issue,  not  an  engi¬ 
neering  drawing  control  issue.”  1313 


Is  PLM  the  next  ERP?  E-mail  us  your  thoughts  at 
tetters@cio.com.  Beth  Stackpole  is  a  freelance  writer 
living  in  Newbury,  Mass.  She  can  be  reached  at 
bstack@stackpolepartners.com. 


HERE’S  OPPORTUNITY  there  if  CIOs 
can  open  their  eyes  and  look  at  PLM 
as  a  change  management  issue,  not 
an  engineering  drawing  control  issue. 


-STUART  SCOTT,  CIO,  GE  INDUSTRIAL  SYSTEMS 


98  CIO  MAY  15,  2003  •  www.cio.com 


Needs  to  enhance  network  capabilities. 
Needs  to  do  more  with  a  limited  budget. 


That's  why  you 
need  XRN'  technology 
from  3Com. 


Needs  to  scale  the  existing  infrastructure. 


expandable  Resilient  Networking 
(XRN")  is  a  unique  LAN  core  technology 
that  allows  you  to  design  and  build  a 
high-availability,  scalable.  Gigabit 
Ethernet  core  that  has  the  perform¬ 
ance  and  flexibility  you  need  in 
today's  challenging  economic 
environment.  With  lower  upfront  costs 
and  the  natural  evolution  of  your  existing 
network,  XRN  technology  helps  you  to 
drive  productivity  and  collaboration  in 
your  organization. 


XRN  technology's  pay-as-you-grow 
approach  is  ideal  when  budgets  and 
resources  are  tight  but  network 
demands  are  high.  The  scalability  and 
flexibility  of  XRN  technology  means  extra 
units  only  need  to  be  deployed  when 
required,  limiting  upfront  expense  and 
protecting 
your  network  |fj| 
investment. 


If  you  need  to  save  valuable  IT  dollars 
and  resources,  find  out  more  about 
XRN  technology.  Get  a  free  XRN 
technology  White  Paper  today 
at  www.3com.com/XRN1  or  call 


1-888-906-3266,  ext.  528. 


Network  Jack  LAN  Infrastructure 


Mobility  &  Wireless  Security  Solutions 


Networked  Telephony 


3Com 

Possible  made  practical' 


Copyright©  2003,  3Com  Corporation.  All  rights  reserved.  3Com  and  the  3Com  logo  are  registered  trademarks,  Possible  made  practical  and  XRN  are  trademarks  of  3Com  Corporation. 


Reality  Bytes 

A  Cold  Look  at  Hot  Trends 


Buyer  Beware 

This  little  surfer  went  to  market. 
This  little  surfer  went  home. 

BY  MEGAN  SANTOSUS 

IN  THE  PAST  FEW  MONTHS,  it  seems  as  if  I’ve  put  enough  oil  in  my 
car  to  rival  what  the  Exxon  Valdez  left  on  the  shores  of  Prince 
William  Sound.  With  more  miles  than  Elizabeth  Taylor  and 
enough  rust  to  make  the  Titanic  look  relatively  pristine,  I  fig¬ 
ured  that  my  ride  needed  an  upgrade.  So  I  hopped  online  hop¬ 
ing  to  make  quick  work  of  finding  my  next  car. 

What  should’ve  been  easy — checking  out  the  2003  models 
on  the  website  of  a  certain  Japanese  car  manufacturer — turned 
out  to  be  impossible.  When  I  first  logged  on  to  the  site,  I  was 
informed  that  I  needed  to  download  a  fancy  plug-in  before  I 
could  see  any  cars.  Do  I  know  what  version  my  browser  is? 
Well,  of  course  not,  so  I  had  to  try  a  few  different  options. 
After  a  few  miscues,  I  could  enter  the  site,  but  I  still  hadn’t 
seen  a  single  photo  of  the  car  I  wanted.  Every  time  I  clicked  on 
the  link  for  a  visual,  I  got  sent  to  an  online  version  of  purgatory. 
“You  are  not  authorized  to  use  this  page,”  read  the  boldface 
type,  and  the  fine  print  wasn’t  any  better:  “You  might  not  have 
permission  to  view  this  directory  or  page  using  the  credentials 
you  supplied.” 

Credentials?  All  I  did  was  click  on  a  link.  Could  it  be  possi- 

100  CIO  MAY  15,  2003  •  www. cio.com 


ble  that  the  carmaker  somehow  knows  about  that  moving  vio¬ 
lation  I  committed  back  in  1985? 

Bring  back  the  days  of  the  smarmy  salesman,  please.  I’ve  had 
similar  off-putting  experiences  with  other  sites  ranging  from  high- 
tech  ones,  where  some  level  of  technical  sophistication  (a  doc¬ 
torate  in  computer  science,  perhaps)  is  expected,  to  basic 
consumer  goods  companies  where  appealing  to  the  lowest  com¬ 
mon  denominator  should,  you’d  think,  be  the  rule.  While  look¬ 
ing  for  an  area  retailer  that  carries  cool-looking  basketball 
sneakers,  I  never  got  past  the  shoe  company’s  homepage  because 
my  browser  isn’t  up  to  snuff.  When  my  printer  went  on  the  fritz, 
I  thought  a  quick  visit  to  the  company’s  website  might  yield  a 
treasure  trove  of  troubleshooting  information,  or  at  the  very  least 
a  customer  service  number.  But  I’ll  never  know  because  I  was 
rebuffed  at  the  opening  gate  after  I  repeatedly  declined  to  find  out 
more  about  the  company’s  new  products  in  a  pop-up  window. 


ILLUSTRATION  BY  JESSICA  ALLEN. 


INCREASE  YOUR 
INFORMATION 
TECHNOLOGY 
BUDGET. 

EVERY  YEAR. 


FOREVER. 


Reality  Bytes 


You  Can  Check  Out,  but  You  Can  Never  Leave 

If  there’s  one  saving  grace  about  the  experiences  I  had  at  car  and 
printer  sites,  it’s  that  I  didn’t  have  to  invest  any  time  inputting 
information  or  navigating  the  seemingly  endless  check-out 
processes.  On  more  than  one  occasion,  when  I’ve  tried  to  buy 
something,  I’ve  actually  completed  the  check-out  process  and 
submitted  my  order  only  to  be  informed  that  something  went 
wrong  along  the  way. 

Most  recently,  I  logged  on  to  the  site  of  a  cooking  magazine 
I  subscribe  to  because  I  wanted  to  order  a  cookbook.  When  I 
found  the  one  I  wanted  (a  task  that  should  have  been  easier 
than  it  was),  I  proceeded  directly  to  check-out.  I  registered, 
entered  my  shipping  information  and  got  as  far  as  trying  to 
pay  for  the  darn  thing  only  to  be  informed  that  my  credit  card 


What’s  the  likelihood  that  I’ll  drop  25  grand  on  a 
new  car  if  that  carmaker’s  website  throws  me  out 
like  last  week’s  leftovers? 


authorization  had  failed.  “Your  account  number  is  invalid,” 
the  message  said. 

OK,  maybe  I  had  to  insert  those  spaces  between  the  num¬ 
bers  just  as  they  appear  on  my  card.  No  such  luck.  Maybe  I 
need  to  type  in  the  expiration  date  using  four  digits  instead  of 
the  two  as  they  appear  on  my  card?  Nope.  Maybe  I  trans¬ 
posed  a  couple  of  numbers.  Why  don’t  I  read  them  out  loud 
as  I  type?  No  go. 

Now  I’m  flustered  and  somewhat  concerned.  Did  I  pay  my 
last  statement?  Had  someone  stolen  my  card?  Is  this  whole  site 
a  ruse  set  up  by  thieves  to  steal  my  card  and  possibly  my  iden¬ 
tity?  Do  I  really  like  to  cook  enough  to  put  up  with  this? 

At  that  point,  I  opted  for  the  toll-free  number,  which  in  this 
case  was  listed  on  the  website. 

But  the  number  was  only  for  orders  outside  the  United  States. 

So  instead  of  a  nice  cookbook  containing  a  year’s  worth  of 
recipes,  my  kitchen  remains  cluttered  with  a  dozen  dog-eared 
and  flour-spattered  magazines. 

A  Tangled  Web 

As  these  not-so-close  encounters  indicate,  the  Web  is  currently 
stuck  in  an  ugly  adolescent  funk.  In  its  infancy,  it  was  hailed  as 
a  promising  if  misused  sales  and  marketing  tool.  Too  many 
sites,  pundits  said,  didn’t  do  anything;  they  were  nothing  more 
than  electronic  brochureware  that  displayed  products  and 
described  them  with  static  ad  copy.  Today,  several  years  into  the 
Internet  revolution,  too  many  sites  aren’t  even  brochureware. 
Requiring  plug-ins,  high-speed  Internet  access  and  a  monitor  the 


size  of  my  dining  room  table,  the  sites  make  something  as  basic 
as  window-shopping  onerous. 

With  slick  technology,  websites  can  show  off  pulsating  logos 
complete  with  theme  song  accompaniment,  360-degree  prod¬ 
uct  views  and  TV-quality  video  clips.  That’s  all  well  and  good 
for  people  with  serious  computers  or  a  hankering  for  download¬ 
ing  plug-ins  all  day  long.  But  for  many  people  like  myself  who  just 
want  to  see  an  old-fashioned  photo  of  a  product,  locate  a  nearby 
dealer  or  request  a  hard-copy  catalog,  all  those  bells  and 
whistles  add  up  to  a  big  marketing  black  eye.  Instead  of  enhanc¬ 
ing  a  company’s  image  or  creating  an  interactive  advertising 
channel,  the  sites  serve  up  heaping  doses  of  frustration  and 
annoyance.  What’s  the  likelihood  that  I’ll  drop  25  grand  on  a 
new  car  if  that  carmaker’s  website  throws  me  out  like  last 
week’s  leftovers? 

The  Web  is  supposed  to  be  fun,  informa¬ 
tive,  intuitive  and — ultimately — better  than 
television.  But  no  matter  how  inane  or 
uncreative  TV  advertising  is,  it’s  got  one  sig¬ 
nificant  advantage  over  the  Web.  On  TV, 
learning  about  a  product  or  even  buying  that 
product  through  a  toll-free  number  isn’t  hard 
work.  All  you  have  to  do  is  sit  there.  The  message  comes  to 
you.  With  many  sites  on  the  Web,  the  user  has  to  work,  either 
downloading  plug-ins  or  navigating  through  a  byzantine  col¬ 
lection  of  screens.  Companies  with  poorly  designed  websites  are 
in  effect  breaking  a  cardinal  rule  of  selling:  They  make  it  hard 
for  consumers  to  consume. 

Now  that  surfing  the  Internet  for  product  information  is 
second  nature  to  a  lot  of  people,  it’s  even  more  important  for 
companies  to  offer  websites  that  can  accommodate  a  range  of 
technical  capabilities.  The  Web,  after  all,  is  still  a  giant  bill¬ 
board  first  and  a  transaction  platform  second.  Increasingly, 
many  potential  customers  will  first  learn  about  a  company  and 
its  wares  through  the  Internet.  Make  a  bad  impression  online, 
and  companies  won’t  be  given  the  opportunity  to  make  up  for 
it  in  person. 

As  for  that  new  car,  I  really  have  my  sights  set  on  a  certain 
model,  and  it  just  so  happens  that  I  live  around  the  corner 
from  a  dealer.  So  I  stopped  by  on  my  way  home  from  work 
one  day. 

I  told  the  sales  rep  I  couldn’t  access  the  website.  He  appeared 
bemused.  “There’s  much  more  information  about  the  cars  on 
the  Internet,”  he  said,  as  he  rummaged  inside  his  desk  for  a 
dusty  brochure. 

Tell  me  about  it.  I3EI 


Opinion  and  Knowledge  Management  Editor  Megan 
Santosus  is  still  looking  to  upgrade  her  ride.  You  can 
reach  her  at  msantosus@cio.com. 


10  2  CIO  MAY  15,  2003 


www.cio.com 


PHOTO  BY  LESLIE  FEAGLEY 


OR 


Sound  Off 

Taking  Sides  on  Critical  IT  Issues 


Would  You 
License  Your 
Processes  to 
Others? 

BY  ART  JAHNKE 

DURING  THE  INTERNET  AND  TECHNOLOGY  BOOM  of  the  90s,  not 
every  company  spent  wildly  on  turnkey  enterprise  software 
packages.  Many  built  their  own,  and  having  done  so,  they  real¬ 
ized  that  they  had  created  something  that  could  be  sold  to  other 
companies.  But  process  licensing  came  with  a  few  competitive 
risks,  and  the  practice  never  reached  the  potential  imagined  by 
the  people  we  used  to  call  innovators. 

Now,  apparently,  the  process  licensing  game  is  enjoying  a 
growth  spurt.  According  to  an  article  in  The  New  York  Times , 
sputtering  profits  from  traditional  sources  have  forced  many 
companies  to  search  for  new  revenue  streams,  and  process 
licensing  is  just  too  promising  to  overlook.  The  Times  reports 
that  Ford  appointed  a  director  of  technology  commercialization 
to  institutionalize  its  lucrative  process  rental  business;  that 
Caterpillar  is  so  eager  to  license  its  processes  that  it  advertises 
them  on  its  website;  and  that  Procter  &  Gamble  has  hired 
BearingPoint  to  help  sell  a  quality  control  process. 

Observers  of  the  recent  rush  to  the  license  market  point  out 
that  this  is  hardly  going  to  be  a  free  lunch.  Along  with  gain  will 
come  some  pain.  One  of  the  first  victims,  the  Times  points  out, 


is  likely  to  be  the  widespread  and  extremely  valuable  practice 
of  benchmarking,  by  which  many  companies  share  information 
(yes,  for  free)  about  their  best  practices.  Other  business  wizards 
worry  that  we  will  create  a  universe  in  which  every  slight 
improvement  to  a  process  will  suggest  some  increased  value, 
and  that  often-illusory  gain  will  be  determined  by  time- 
consuming  and  expensive  litigation. 

The  lawyers  will  win  (we  knew  they  would;  they  always 
do).  What  about  the  companies  that  license  their  processes?  Is 
their  gain  worth  the  potential  for  pain? 

We  asked  our  readers  if  they  would  license  their  companies’ 
processes.  Here  are  some  of  the  responses. 

Licensing  processes  isn’t  worth  the  trouble.  I  regularly  share 
ideas  with  my  peers.  These  informal  exchanges  allow  all  of  us 
to  form  our  own  processes,  suiting  our  unique  requirements. 


10  4  CIO  MAY  15,  2003 


www. cio.com 


ILLUSTRATION  BY  BOB  DALY 


FIX 

‘IT’  QUALITY. 

NOW. 


0 


Get  Optimized."  The  IT  quality  movement  has  begun.  It's  called  Business 

Technology  Optimization.  Chief  Information  Officers  are  using  BTO  to  increase 

performance,  extract  value  and  lower  costs.  Mercury  Interactive's  Optane  is  the 

industry's  first  family  of  BTO  products  and  services.  Optane  increases  quality  and 

improves  the  results  from  mission-critical  applications  like  ERP,  CRM,  SCM,  J2EE 

and  .NET.  Join  the  IT  quality  movement.  Get  Optane  and 

M  J  K  V] \/W  MERCURY 

Get  Optimized.  To  learn  how  go  to  WWW.get-optimized.com/cio  ijJL  interactive 


©2003  Mercury  Interactive  Corporation.  Mercury  Interactive,  the  Mercury  Interactive 
logo  and  Optane  are  trademarks  or  registered  trademarks  of  Mercury  Interactive 
Corporation  in  the  United  States  and/or  select  foreign  countries. 


Sound  Off 


106  CIO 


When  it  comes  to  selling  processes,  there  are  too  many  risks 
and  long-term  support  implications  to  make  the  idea  attractive. 
It  would  be  akin  to  entering  into  the  packaged  software  busi¬ 
ness — most  people  who  have  tried  have  lost  their  shirts. 

It’s  better  to  keep  things  informal.  That  way  people  are  at  lib¬ 
erty  to  draw  their  own  conclusions  without  generating  any  liability. 

Rod  Hamilton 
CIO 
Hygeia 

Process  comes  in  at  least  four  forms:  1.  Logic  diagram  or 
model;  2.  “Project”  plan;  3.  Computer  executable;  4.  The  real¬ 
ity  of  emergent  behavior.  I  would  grant  a  “license  to  use”  for 
the  first  three  forms.  The  fourth  cannot  be  reproduced  or 
packaged,  and  thus  cannot  be  licensed. 

With  a  basic  license,  you  cannot  sue  me  for  applying  my 
process,  and  I  have  no  responsibility  for  your  outcomes. 

The  concerns  expressed  in  this  column  about  support,  liabil¬ 
ity  and  so  on  are  easily  handled  by  license  terms  and  conditions. 
(If  you  want  to  take  their  money  without  providing  them  any 
recourse,  you  are  safest  to  use  the  license  agreement  wording  on 
any  Microsoft  product.  Of  course,  you  have  to  get  permission 
first.) 

Most  respondents  seem  to  presume  that  money  is  the  moti¬ 
vation  for  licensing.  I  would  license  in  order  to  increase  the 
coherency  of  the  value  webs  of  which  I  am  a  part.  Metcalfe’s 
Law  applies.  The  guy  with  the  best  process  is  like  the  guy  with 
the  first  fax  machine — not  really  useful  until  a  fully  interop¬ 
erable  process  exists  at  corresponding  nodes.  How  do  you 
make  that  happen?  License  your  process.  This  will  bring  on  the 
era  of  process  syndication. 

Jack  Ring 

Sole  Proprietor 
Innovation  Management 

Business  process  may  be  like  communication  protocols— 

only  higher  up  the  food  chain  than  the  exchange  of  messages. 
A  world  of  “process  syndication,”  to  quote  the  felicitous 
phrase  of  another  contributor,  may  have  great  benefits  for  the 
strategic  flexibility  of  modern  companies. 

It  may  be  that  process  syndication  reduces 
the  barriers  to  entry  into  new  business 
areas,  lowers  the  opportunity  cost  of  exist¬ 
ing  strategic  choices,  and  ushers  in  a  new 
era  of  “componentized  business  process 
architecture,”  or  some  such  thing.  After  all,  most  businesses’ 
core  competency  is  usually  only  one  or  two  areas  out  of  the 
total  set  of  business  functionalities.  Process  syndication  would 
not  only  improve  the  quality  and  reduce  the  cost  of  outsourc¬ 
ing  (as  well  as  insourcing)  certain  functions,  but  it  gives  busi- 

MAY  15,  2003  •  www  .cio  .com 


nesses  more  strategic  flexibility  when  answering  the  question, 
What  business  are  we  in? 

At  the  same  time,  I  am  skeptical  that  businesses  can  be 
wrapped  up  in  this  way.  People  skills  matter  Without  good  skilled 
workers  and  good  managers,  any  business  process  will  end  badly. 
A  world  of  licensed  processes  might  change  the  strategic  landscape 
of  a  lot  of  companies,  since,  in  effect,  it  would  reduce  the  barrier 
to  entry  and  barrier  to  expertise  in  any  of  the  process  areas. 

Simon  Hill 
Consultant 
Emberling  &  Associates 

Remember  TQM  and  Toyota?  How  many  auto  companies 
and  others  spent  millions  of  dollars — often  at  the  insistence 
of  consultants — to  find  out  what  Toyota  already  knew?  It  was 
its  culture  that  made  total  quality  management  work  at  Toy¬ 
ota.  It’s  not  the  seller  beware  as  suggested  in  the  article — it’s 
buyer  beware. 

If  I  wanted  to  wreck  my  competition,  I’d  take  my  business 
practices,  slap  a  best  practices  label  on  them  (or  better,  get 
one  of  the  big  consultancies  to  do  this  for  me),  give  it  away  and 
watch  them  tear  themselves  to  pieces. 

Cliff  Brandon 

Consultant 
Automated  Systems  Alliance 


cio.com  Want  to  SOUND  OFF  on 

this  or  other  topics?  Join  the  ongoing 
debates  at  comment.cio.com. 


Licensing  process  is  either  a  form  of  software  vending  or  a 

form  of  franchising  (or  patenting).  The  stuff  in  between — 
knowledge,  flowcharts,  forms,  rule  books,  guidebooks,  articles, 
textbooks — will  be  impossible  to  control  without  stifling  all 
adaptation  and  innovation  of  those  parts  of  organizations  that 
try  to  buy  and  implement  them. 

A  new  kind  of  business  relationship  might  be  possible,  one 
where  adaptation  and  innovation  is  traded  back  to  the  origi¬ 
nal  owner  of  the  process  in  a  kind  web  of  diminishing 
returns — but  where  public  discourse  remains  open  or  is  even 
encouraged. 

Isn’t  business  process  licensing  just  ERP  and  business  process 
reengineering  all  over  again?  More  important  are  people,  their 
satisfaction,  the  quality  and  efficiency  of 
their  work,  and  how  able  they  are  to 
develop  new  skills.  None  of  these  pro¬ 
cesses  on  sale  is  so  hard  anyway  (lest  they 
be  the  patented  kind,  such  as  the  produc¬ 
tion  of  ammonia  or  the  refining  of  oil). 

It  is  much  better  to  invest  in  developing  your  organization’s 
skills  in  the  area  of  management  and  organization. 

Simon  Hill 
Consultant 
Emberling  &  Associates 


©  2003  Storage  Technology  Corporation,  Louisville,  CO.  All  rights  reserved.  StorageTek,  the  StorageTek  logo 
and  Save  the  Day  are  either  trademarks  or  registered  trademarks  of  Storage  Technology  Corporation. 


I  can't  pull  all-nighters  every  night. 


Thing  is,  our  backup  and  recovery  system  has  to. 


It  can't  rest. 


Not  even  for  a  second. 


Not  if  I  hope  to  get  some  myself. 


Save  the  day. 


EchoView™ 


Make  sure  your  data's  always  safe  and  you'll  save  yourself  a  lot  of  worry.  And  work.  One  way  is  with  EchoView™.  A  potent,  new  data- 
protection  appliance  that  continually  captures  and  journals  data  as  soon  as  it's  written,  for  nonstop  protection.  And  EchoView™  provides 
rapid  recovery  to  any  point  in  time,  to  keep  business  humming.  So  while  your  systems  may  be  disrupted,  your  nights  won't  be. 
Learn  all  the  ways  we  can  help  you  at  www.savetheday.com.  ^3  StorageTek  Save  the  Day.™ 

\ 


CSO  Perspectives" 


>|§il 

wot  Mn  r 

If I ' 

'■flip 


Today’s  security  executives  meet  at  the  CSO  Perspectives  Conference 

BUILDING  A 


SECURITY 


June  17-19, 2003 
Hotel  del  Coronado 


Building  a  culture  of  security  involves  much  more 
than  laying  out  the  policies,  procedures  and 
processes  that  employees,  contractors  and  business 
partners  should  follow.  It’s  about  how  you  effectively 
communicate  the  need— how  you  answer  the  ques¬ 
tion  “why"— to  the  myriad  of  security  measures  that 
must  necessarily  be  in  place  in  your  organization  to 
ensure  the  safety  of  your  people,  your  physical 
assets  and  your  information  assets.  It’s  about  mak¬ 
ing  sure  everyone  understands  the  risks  and  is 
willing  to  face  up  to  the  challenges. 

CSO  Perspectives  is  the  landmark  event  for  security 
and  IT  executives  that  helps  you  confront  these 
challenges  by  bringing  together  industry,  govern¬ 
ment  and  academic  experts  who’ve  dealt  with  the 
issues,  debated  the  policies,  and  navigated  the  maze 
of  security  considerations  that  impact  you  on  a  daily 
basis.  You’ll  exchange  best  practices  with  your  peers 
and  take  home  lessons  learned  from  their  experi¬ 
ences.  What’s  more,  you’ll  have  ample  time  to  net¬ 
work,  share  ideas  and  expand  your  contacts  during 
our  golf  tournament,  networking  lunches,  receptions 
and  other  activities. 

Call  800-366-0246  or  register  at 
www.csoperspectives.com 


The  Resource  for 
Security  Executives 


TUESDAY,  JUNE  17 

3:00  pm— 5:00  pm 

Registration 

11:30  am— 5:00  pm 

Golf  Tournament 

6:30  pm— 8:30  pm 

Registration,  Welcome  Reception 
&  Special  Presentation 


WEDNESDAY,  JUNE  18 


7:00  am— 8:00  am 

Networking  Breakfast 


8:00  am— 8:20  am 

Welcome 

LEW  MCCREARY, 

Editor  in  Chief, 

CSO  Magazine 
BOBBRAGDON, 
Publisher,  CSO 
Magazine 
JONATHAN 
ZITTRAIN,  Confer¬ 
ence  Moderator  and 
Cofounder,  The 
Berkman  Center  for 
Internet  &  Society, 
Harvard  Law  School 


8:20  am— 9:20  am 

America’s  Place 
in  a  Global  Society 
WESLEY  K.  CLARK, 

Former  NATO 
Supreme  Allied 
Commander  &  CNN 
Military  Analyst,  author  of  Waging 
Modern  War 

As  American  business  is  increasingly 
sustained  by  the  global  market, 
international  political  and  military 
strategy  occupy  a  role  of  vital  signifi¬ 
cance.  Clark  has  been  on  the  front 
lines  of  the  world’s  emerging  markets, 
intimately  aware  of  the  political 
strategy  and  psychology  that  dictate 
corporate  bottom  lines.  He  applies  his 
experience  and  skills  in  strategic 
leadership,  high  technology,  training 
and  organizational  development  to 
the  challenges  facing  us  today. 

9:20  am— 10:20  am 

Creating  a  Culture  of  Security 
ROBERT  LITTLEJOHN, 

Vice  President  of  Global  Security, 
Avon 

Security  is  an  integral  piece  of  the 
business  process— it  doesn’t  function 
alone.  It  is  essential  that  all  domestic 
and  international  employees  under¬ 
stand  exactly  what  to  do  in  situations 
that  involve  both  physical  and  cyber 
security.  To  build  a  culture  of  security 
the  chief  security  officer  must  take  on 
a  strategic  role  in  the  organization, 
emphasize  leadership  and  communi- 


SS§8S$8!S 


cation,  and  develop  the  policies  and 
plans  that  protect  the  company’s 
people  and  other  assets. 

10:20  am— 11:00  am 

Coffee  Break  and 
Sponsor  Exhibits 


are  massive,  you’ve  got  a  very  big 
problem.  What  are  the  trade-offs 
between  instituting  appropriate 
levels  of  security  and  stifling  the 
business?  The  approach,  tools  and 
analytics  are  applicable  to  both 
physical  and  cyber  security. 


11:00  am— 12:15  pm 

Sponsor  Briefings 

12:15  pm— 1:45  pm 

Networking  Lunch 


2:00  pm— 2:30  pm 

Special  Session 


2:30  pm— 3:30  pm 
Governance  and 
Policy  Management 
Moderator: 

DEREK  SLATER, 

Executive  Editor, 

CSO  Magazine 
Participants:  NEIL 
JACKSON,  CISA, 

Business  Manager 
Internal  Audit, 

Global  Information  Technology, 
E*TRADE  Group,  Inc. 
BILLSPERNOW, 

CISO,  Georgia 
Student  Finance 
Commission 
Security  governance 
issues  are  a  particu¬ 
larly  thorny  topic,  as 
more  executives  and  boards  of 
directors  understand  their  responsi¬ 
bility  and  accountability  in  informa¬ 
tion  security  governance.  They  will 
be  challenged  to  prove  they  are 
managing  aspects  of  security  to  a 
level  that  will  satisfy  business 
partners,  customers  and  stakehold¬ 
ers— and  that  will  minimize  poten¬ 
tial  litigation.  A  blue-ribbon  panel 
discusses  governance  issues,  who 
makes  the  policies,  what  they  look 
like,  how  they  get  made  and  how  you 
enforce  them. 


3:30  pm— 4:30  pm 
Developing  an  Effective 
Framework  for  Risk  Assessment 
THOMAS  P. 

ARMOUR, 

Program  Manager, 

Defense  Advanced 
Research  Projects 
Agency  (DARPA) 

In  order  to  effectively 
assess  your  risks,  you  need  to 
develop  a  framework  and  a  highly 
systematic  approach.  One  key  is 
first  analyzing  Threat,  Vulnerability 
and  Consequences  independently, 
and  then  assess  them  altogether.  If 
the  Threat  and  the  Vulnerability 
aren’t  large— but  the  Consequences 


4:30  pm— 5:30  pm 

The  Peer-to-Peer  Networking 
Reception 

THURSDAY,  JUNE  19 

7:00  am— 8:00  am 

Breakfast  &  Informal 
Discussion  Roundtables 

8:00  am— 9:15  am 

What  Every  CSO  Should  Know 
About  Intellectual  Property 
Moderator:  JONATHAN 
ZITTRAIN 

Panelists:  MEUSE  R. 
BLAKESLEE,  Partner, 
McDermott,  Will  &  Emery 

JOHN  P. 

PONTRELLI, 

Global  Security 
Director,  W.L.  Gore 
&  Associates 

LYNN  MATTICE, 

Director  of  Global 
Security,  Boston 
Scientific 

More  organizations 
are  realizing  the 
potential  threats  of 
not  safeguarding 
their  own  intellectual 
property,  and  of  the 
possible  liability  of  misusing  others’ 
property,  even  unintentionally  or 
unknowingly.  Many  are  seriously 
weighing  the  risks  of  not  imple¬ 
menting  digital  rights  management 
(DRM)technologies.  Our  panel 
explores  recent  trends  in  intellec¬ 
tual  property  issues  and  litigation, 
and  discusses  the  impact  on 
businesses  of  all  types. 

9:15  am— 10:30  am 

Evaluating  New  Technologies 
MODERATOR: 

CHRIS 
LINDQUIST, 

Technology  Editor, 

CSO  Magazine 
BOB  DEGAN, 

Senior  Vice  Presi¬ 
dent,  Corporate 
Security,  First  Data 
Corp. 


COLONEL 
THADDEUSA. 

DMUCHOWSKI, 

Director  of  the 
Information  Assur¬ 
ance  Directorate, 

Department  of  the 
Army 

DAVID  MACLEOD,  Ph.D., 
CISSP,  CPHIMS,  Director  of 
Security,  The  Regence  Group 
JEFFWACKER, 

EDS  Fellow,  vice 
President  &  CTO, 

EDS 

It’s  been  frequently 
said  that  security  is  a 
business  problem, 
not  a  technology 
problem.  However,  technology  does 
playacrucial  role  in  your  ability  to 
provide  both  physical  and  cyber 
security.  Our  expert  panelists  talk 
about  what  technologies  they  see  in 
the  near  term  that  will  have  the 
most  impact  on  the  CSO  and  CISO. 
What  will  work,  what  won’t— what 
you  should  be  afraid  of,  and  why. 

10:30  am— 11:00  am 

Coffee  Break  &  Sponsor  Exhibits 

11:15  am— 12:25  pm 

Sponsor  Briefings 

12:25  pm— 2:00  pm 

Networking  Lunch 

2:15  pm— 3:30  pm 
DrillDown  Breakout  Sessions 

These  sessions  are  designed  to  give 
conference  attendees  the  opportu¬ 
nity  to  work  and  network  in  smaller 
groups,  and  discuss  specific  topics 
and  issues  in  greater  detail. 

3:45  pm— 5:00  pm 

Ethics  and  Privacy  in  Action: 

A  Scenario  Panel 
Moderator: 

JONATHAN  ZITTRAIN 
Panelists: 

DEBORAH 
WEINSTEIN,  Labor 
&  Employment 
Law  Attorney, 

Eckert  Seamans 
Cherin  &  Mellott, 

LLC. 

CHRISTOPHER 
HOOFNAGLE, 

Deputy  Counsel, 

Electronic  Privacy 
Information  Center 
TERRY LENZNER, 

Chairman,  Inves¬ 
tigative  Group  International 


A 

* 


DOUGLAS 
MILLER,  Executive 
Director  of  Pri¬ 
vacy,  America 
Online 

An  action  or  policy 
may  very  well  be 
legal— but  if  it  isn’t  ethical,  you  may 
be  setting  yourself  and  your  organi¬ 
zation  up  for  some  nasty  surprises 
(not  to  mention  nastier  lawsuits). 
What’s  legal,  what’s  ethical— what’s 
the  difference  and  who  decides? 
What  role  does  the  corporate 
culture  play  in  ensuringthat  all 
employees  consistently  adhere  to 
policies?  Our  panelists— along  with 
audience  participants— explore 
various  scenarios. 

5:00  pm— 5:15  pm 

Closing  Summary 
JONATHAN  ZITTRAIN 

5:15  pm— 6:00  pm 

Networking  Reception 

7:15  pm— 9:30  pm 
Black  Tie  Dinner  & 

Entertainment 
JIMMY  TINGLE, 

Social/political 
Commentator  & 

Humorist 

Tingle  is  regarded  as 
one  of  the  top  social 
and  political  com¬ 
mentators  and  humorists  in  the 
country,  uncovering  the  absurdities 
of  modern  life  with  an  irreverent  and 
incisive  wit.  After  two  days  of  hard 
work  and  serious  presentations, 
who  among  us  can’t  use  a  good 
laugh? 

Presentation  of  the 

CSO  Magazine  Compass  Awards 

BOB  BRAGDON  & 

LEW  MCCREARY 

CSO  Magazine  is  pleased  tonight 
to  honor  several  individuals  whose 
leadership,  innovative  thinking  and 
dedicated  effort  have  advanced 
security  awareness,  policies, 
technologies  and  practices  for  the 
betterment  of  the  field. 

9:30  pm— 11:00  pm 

SPECIAL  DESSERT 
RECEPTION 


CSO  Perspectives  is  proudly 
underwritten  by 


Microsoft 


Career  Counsel 


Expert  Advice  to  Aspiring  CIOs  and  IT  Managers  by  Beverly  Lieberman 


When  You’ve 
Just  Had  It 

What  to  do  when  the  job  didn’t  turn  out  as  expected 


Q.  I  have  more  than  10  years  of  experience  on  technical  teams 
at  solutions  provider  companies.  Recently,  I  was  hired  as  an 
IT  manager  at  another  non-IT  company  where  I  believed  I 
could  add  a  lot  of  value.  However,  after  a  year  I  find  myself  not 
as  productive  as  I  thought  I’d  be  because  top  management  is 
unaware  of  IT  responsibilities  and  roles.  My  direct  boss  (the 
COO)  does  not  understand  anything  about  IT  and  cannot  take 
the  time  because  he's  too  busy.  I  am  afraid  at  this  point  I  could 
get  fired  because  we  do  not  understand  each  other.  If  this 
happens,  it  will  be  the  first  failure  of  my  career.  Any  advice? 

A.  First  and  foremost,  make  an  effort  at  developing  a  positive 
relationship  with  your  boss  before  giving  up.  It  is  not 
unusual  for  IT  executives  to  find  themselves  working  for 
managers  who  are  not  IT  savvy  and  are  extremely  busy. 

Because  your  boss  is  busy,  why  not  ask  for  a  meeting  after 
hours  or  early  in  the  morning  to  review  your  organization’s 
progress?  In  preparation,  develop  an  overview  of  IT  accom¬ 
plishments  to  date  and  show  their  relationships  to  the  business 
goals.  Has  your  group  been  able  to  help  the  company  make  or 


save  money?  That  should  be  your  key  role.  If  you  cannot  artic¬ 
ulate  such  a  list,  then  use  the  time  to  restate  your  commitment 
to  the  company  and  ask  for  some  objectives  that  will  ensure  you 
work  on  the  right  tasks  and  spend  the  company’s  money  wisely. 
Be  sure  to  speak  in  business  and  not  technical  terms. 

If  you  show  interest  and  sincerity  when  talking  to  your  boss, 
and  speak  “his”  language  of  business,  you  might  have  a  chance 
at  improving  the  working  relationship  and  your  ability  to  be 
productive.  If  after  a  few  attempts  this  technique  does  not 
work,  start  tuning  up  your  resume  and  the  process  of  looking 
elsewhere  for  employment. 

THE  DAILY  GRIND 

Q.  For  the  past  20  years,  I  have  been  in  IT  project  manage¬ 
ment,  most  recently  as  a  CIO.  I  am  on  the  dark  side  of  50.  Is  it 
too  late  to  enter  consulting,  or  should  I  work  to  retire  in  my 


110  CIO  MAY  15,  2003  •  www.cio.com 


ILLUSTRATION  BY  BLAIR  THORNLEY 


multiple  teams  in 


Meet  Rachel.  Crisis  Coordinator. 


Communications  Queen. 


m 


’V.*-  .  >i*.‘  >'  . 


•W, 


^tv 


a  year  ago 

jtions  would 
> 

. 

I 

labilities  that 
coordinate 
in  constant 


contact  as  weather  patterns  quickly  shift  drop  coordinates.  At 
Nortel  Networks,™  we  call  this  "the  engaged  business  model." 
And  we  make  it  happen  by  allowing  businesses  to  engage  their 
employees  with  ways  to  work  more  productively  as  teams. 
Eliminating  boundaries  by  anticipating  user  needs.  Delivering 
critical,  time-sensitive  information  on  whatever  device  they  can 
access.  Encrypted  for  security,  info  gets  to  where  it  needs  to  go 
and  nowhere  else.  End  of  story:  Rachel  and  her  team  save  time 
and  money  as  they  race  to  help  people  in  need.  All  delivered 
by  our  enterprise  vision.  One  network.  A  world  of  choice. 
nortelnetworks.com/onenetwork 


NORTEL 

NETWORKS 


Nortel  Networks,  the  Nortel  Networks  logo  and  the  Globemark  are  trademarks  of  Nortel  Networks.  ©2002  Nortel  Networks.  All  rights  reserved. 


nortelnetworks.com 


Career  Counsel 


current  CIO  position?  My  past  work  includes  federal  Depart¬ 
ment  of  Defense  health-care  systems.  I’m  not  a  true  techie 
but  an  engineer  who  is  successful  at  managing  people  and 
projects,  strategic  planning,  and  IT  organization  turnaround. 
However,  the  daily  crisis  mode  is  wearing  on  me.  Is  consulting 
a  good  move  at  this  point? 

A.  I  am  not  sure  that  it  will  be  easy  for  you  to  transfer  into 
consulting  at  this  stage  of  your  career.  It  could  happen  if  you 
have  some  excellent  contacts  who  know  and  respect  you  and 
would  be  willing  to  make  the  appropriate  introductions. 
Without  those  introductions,  though,  your  lack  of  consulting 
experience  and  your  age  will  be  perceived  as  barriers  to  entry. 

To  address  your  crisis  mode  feelings,  try  to  discuss  with 
your  boss  ways  to  improve  the  work  environment  so  that  it  is 
not  so  grueling.  If  you  already  had  those  conversations  and 
there  is  no  hope,  then  you  have  to  decide  if  you  can  stay  the 
course  and  get  to  retirement  or  if  you  have  to  change  posi¬ 
tions.  Although  it  is  a  tough  job  market,  one  thought  is  to 
reconsider  a  position  with  the  government,  especially  in  defense 
and  security  improvement. 

ON  THE  FENCE 

Q.  I  have  held  CIO,  CTO  and  vice  president  of  technology  posi¬ 
tions  for  the  past  seven  years  in  midsize  companies,  but  cur¬ 
rently  I’m  unemployed.  Would  there  be  any  advantage  in 
pursuing  IT  leadership  positions  in  state  and  city  govern¬ 
ments?  I’m  looking  for  “intangible  benefits”  that  would  offset 
the  income— such  as  increasing  future  prospects  in  the  pri¬ 
vate  sector,  networking  or  rubbing  elbows  in  political  circles. 
A.  Making  a  move  into  the  government  sector  can  be 
rewarding,  especially  if  you  want  to  do  this  based  on  a 
desire  to  do  public  service.  However,  be  aware  that  some 
who  have  done  this  have  reported  their  frustration  with 
bureaucracy  and  limited  budgets.  You  would  need  to  deter¬ 
mine  whether  any  position  under  consideration  has  suffi¬ 
cient  funding  for  IT  projects  and  that  there  are  commitments 
for  those  projects. 

Spending  two  to  three  years  in  the  government  sector  is  about 
all  you  should  do  unless  you  love  it  and  wish  to  make  it  your 
career.  To  take  yourself  out  of  the  corporate  world  for  more 
than  a  few  years  can  limit  your  chances  to  reenter.  Corporate 
executives’  general  perception  of  a  public  service  history  is  not 
very  positive,  unless  you  can  talk  of  important  accomplishments. 

GIVE  ME  A  BREAK 

Q.  I  am  the  IS  director  for  a  small  business.  Eight  months  ago, 
the  CIO  was  fired  for  lack  of  vision  and  leadership.  Since  that 
time  I  have  been  the  acting  CIO.  I  have  made  several  cost¬ 
saving  decisions  totaling  almost  $115,000. 1  have  proven  my 
capabilities.  Is  it  time  to  ask  for  the  promotion? 


A.  If  you  have  delivered  the  IT  vision  and  implemented  it 
successfully,  then  I’d  ask  for  the  promotion.  Go  directly  to 
your  boss  and  ask  for  input  on  your  accomplishments  and 
determine  whether  he  is  ready  to  promote  you.  If  not,  find 
out  specifically  what  you  can  do,  in  a  tangible  way,  to  move 
toward  the  goal.  In  addition  to  the  accomplishments  you’ve 
mentioned,  being  promoted  to  CIO  also  depends  on  the 
quality  of  relationships  you  have  with  peers  and  their  man¬ 
agement.  You  need  the  vote  of  confidence  from  key  users  as 
well  as  from  your  boss.  I  hope  this  works  out  for  you. 

SHOW  ME  THE  MONEY 

Q.  I  have  just  been  promoted  from  a  director  position  to  a  vice 
president  position  in  the  engineering  department  of  a  software 
company.  My  raise  was  about  10  percent  (no  additional  stock 
options)  and  a  slightly  larger  bonus  effective  next  year.  I  was 
told  that  the  promotion  was  a  “field”  promotion  and,  given  the 
economic  climate,  that  this  was  all  the  company  could  do.  Per¬ 
sonally,  I  feel  slighted  and  often  wonder  why  I  was  promoted  in 
the  first  place.  Am  I  justified  in  feeling  unrewarded? 

A.  Unless  your  company  is  doing  much  better  than  its  com¬ 
petitors  and  the  industry  in  general,  raises  and  promotions 
have  been  hard  to  come  by  because  of  the  recession.  At  your 
level,  a  10  percent  increase  is  solid  and  a  good  indicator  that 
you  are  valued.  In  addition,  I  would  take  it  as  a  compliment 
and  a  vote  of  confidence  to  be  promoted.  It  is  no  doubt  their 
intention  is  to  try  and  keep  you  and  to  acknowledge  your 
positive  performance. 

You  might  use  this  promotion  as  an  opportunity  to  engage 
in  a  discussion  with  your  boss  about  planning  for  the  future  and 
what  you  can  look  forward  to  in  the  way  of  expanded  or  new 
responsibilities.  Perhaps  a  conversation  about  your  career  and 
interests  will  stimulate  new  ideas  or  educational  directions  for 
you  that  could  also  be  helpful  to  the  company.  Give  some 
thought  about  what  are  the  most  critical  projects  happening  at 
your  company — are  you  working  on  these?  If  not,  see  if  there 
is  a  way  for  you  to  get  involved.  Show  interest  and  commitment 
and  maybe  you  can  improve  your  current  position.  E0 


Beverly  Lieberman  is  president  of  Halbrecht  Lieberman  Associates,  an 
internationally  recognized  executive  search  company  that  provides 
retained  executive  search  services  across  multiple  industries  while 
specializing  in  IT.  The  Web-based  Executive  Career  Counselor  column 
is  edited  by  Director  of  Online  Research  Kathleen  Kotwica.  She  can  be 
reached  at  kkotwica@cio.com. 

CIO.COm  HAVE  A  CAREER  QUESTION? 

Visit  the  online  CAREER  COUNSELOR  at  www.cio.com/counselor 
to  ask  our  experts  your  questions  and  browse  their  answers. 


112  CIO  MAY  15,  2003  •  www.cio.com 


DB2  Information  Management  Software 


See  DB2  software  connect  data,  near  and  far.  ▼ 
See  DB2  software  connect  formats,  old  and  new 
See  DB2  software  create  insight,  again  and  agair 


DB2.  It’s  the  ultimate  portfolio  of  real-time  information  management  software.  You  can  now  leverage 
every  scrap  of  data,  no  matter  where  it  is,  or  what  it  is.  You  see  it  all,  as  if  it  resided  in  a  single  place. 
Insightful  and  open,  DB2  lets  you  use  and  build  on  what  you  already  have,  whether  it’s  IBM,  Oracle  0 
Microsoft®—  goodbye  “rip  and  replace.”  For  a  DB2  Software  Information  Kit,  visit  ibm.com/db2/seeit 


goodbye  “rip  and  replace. 


IBM,  DB2.  the  e-business  logo  and  e-business  on  demand  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation  in  the  United  States 
and/or  other  countries.  Microsoft  is  a  registered  trademark  of  Microsoft  Corporation  in  the  United  States,  other  countries,  or  both.  Other  company,  product  and  service  names 
may  be  trademarks  or  service  marks  of  others,  i  2003  IBM  Corporation.  All  rights  reserved. 


Inside 

Under 

Development 

Mirrored,  fiber  ...  120 

Tech  Tact 

Christopher  Lindquist: 
Right  time  for 
real-time ?  ......  122 


Putting  IT  on  the  Map 

Geographic  information  systems  make  their  way  into  daily  operations 

BY  ALICE  DRAGOON 


Edited  by  Christopher 
Lindquist.  Send  your 
thoughts  and  ideas 
for  future  columns  to 
clindquist@cio.com. 


WE  MAY  LIVE  IN  THE  AGE  of  e-mail  and  instant 
messaging,  but  being  in  the  right  place  at  the 
right  time  still  has  its  advantages.  Customers 
expect  on-time  deliveries — and  if  you  can’t  get 
to  them  right  away  to  help  in  an  emergency, 


your  competitor  will.  Location  matters. 

As  GIS  tools  and  data  sources  become 
increasingly  sophisticated  and  affordable,  they’re 
helping  more  companies  and  governments 
understand  precisely  where  their  trucks,  their 


Geographic  information  systems. ..Optical  fiber  advances.. .Real-time  apps 


114  CIO  MAY  15,  2003  •  www.cio.com 


ILLUSTRATIONS  BY  JASON  HOWARD  STATTS 


Lotus. 


software 


See  who’s  online  in  real-time. 

See  knowledge  shared  in  real-time. 
See  real-time  teamwork  at  work. 


Lotus  Instant  Messaging  is  the  leader  in  instant  messaging  for  business.  Lotus  software  lets  you  know 
who’s  available,  on  demand.  It  creates  real-time,  virtual  collaboration,  on  demand.  It  can  create  cost 
savings  and  quicker  response  time  instantly.  Everyone  becomes  more  agile.  Your  communication  is 
more  secure.  Business  advantage  is  immediate.  For  a  Lotus  webcast,  visit  ibm.com/lotus/seeit 

(<'  business  on  demand  software 


IBM.  Lotus,  the  e-business  logo  and  e-business  on  demand  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation  in  the  United  States 
and/or  other  countries.  Certain  information  contained  within  this  advertisement  is  based  on  results  from  the  Osterman  Study  “Survey  on  Instant  Messaging  Issues"  (9/02), 
which  indicates  that  Lotus  Instant  Messaging  is  the  leading  solution  in  situations  where  an  enterprise  has  settled  on  an  IM  standard.  ©2002  Osterman  Research,  Inc. 
©2003  IBM  Corporation.  All  rights  reserved. 


workers  and  their  resources  are,  where 
they  need  to  go  to  serve  a  customer — and 
the  best  way  to  get  from  here  to  there. 

Now  that  it’s  becoming  feasible  for 
companies  to  equip  their  employees  with 
such  devices  as  GPS-enabled  phones, 
workers  in  the  field  are  becoming  what 
David  Schell,  president  of  the  nonprofit 
Open  GIS  Consortium,  calls  human  cur¬ 
sors — individuals  who  serve  as  windows 
into  what’s  happening  in  their  locations. 
GIS  inverts  the  traditional  office-centric 
computing  model,  says  Schell,  giving  com¬ 
panies  “widely  dispersed  capabilities  for 
looking  at  the  environment.”  He  predicts 


- 1  Emerging 

ing  current  applications  of  GIS  that  sug¬ 
gest  otherwise. 

Managing  the  Mobile 
Workforce 

The  advent  of  GPS-  and  Java-enabled 
mobile  phones  is  ushering  in  a  new  era  of 
connectedness  for  Roto-Rooter’s  mobile 
employees.  Most  people  calling  the  plumb¬ 
ing  company  are  in  a  bad  mood  (they’ve 
got  water  in  their  basement  or  just  suf¬ 
fered  a  cold  shower),  so  the  faster  Roto- 
Rooter  can  get  one  of  its  1,500-plus 
technicians  to  a  customer’s  house,  the  more 
likely  it’ll  get  the  business.  But  getting  the 


The  advent  of  GPS-  and  Java-enabled 
mobile  phones  is  ushering  in  a  new  era  of 
connectedness  for  Roto-Rooter’s  mobile 
employees. 


that  spatial  data  is  going  to  become  far 
more  important  to  many  organizations 
that  never  had  to  deal  with  it  before — a 
new  basis  on  which  they  can  manage  their 
infrastructures. 

Yes,  there  are  potential  pitfalls.  GPS 
doesn’t  work  inside  buildings  or  under¬ 
ground  without  special  amplification 
tools,  for  example.  And  the  U.S.  Depart¬ 
ment  of  Defense,  which  owns  the  GPS 
satellites  on  which  many  systems  rely, 
could  choose  to  reduce  the  signal  accu¬ 
racy  to  prevent  enemy  soldiers  or  terrorists 
from  taking  advantage  of  the  system. 

Despite  such  hurdles,  optimized  rout¬ 
ing,  intelligent  site  selection,  mapping  and 
analysis  of  crime  and  disease  patterns,  and 
the  ability  to  get  turn-by-turn  directions 
on  a  cell  phone  are  all  possible,  thanks  to 
GIS.  The  concept  of  human  cursors  may 
sound  futuristic,  but  here  are  some  intrigu- 

cio.com  Read  Chris  Lindquist’s 

TECH  TACT:  NEW  TOOLS  FOR  NEW  JOBS 

every  Monday  at  www.cio.com. 


right  person  to  the  job  efficiently  isn’t  easy 
when  90  percent  of  your  operation  is 
responding  to  emergencies.  “We  don’t 
know  at  8  o’clock  in  the  morning  what 
most  of  our  jobs  are  going  to  be  at  3 
o’clock  in  the  afternoon  because  the  emer¬ 
gency  hasn’t  happened  yet,”  says  Roto- 
Rooter  CIO  Steve  Poppe.  “And  sometimes 
[technicians]  are  not  exactly  where  we 
think  they  are.  Guys  can  pass  each  other 
on  the  expressway,  one  going  north  and 
one  going  south,  because  the  dispatcher 
didn’t  see  the  whole  field  of  play.” 

Since  1996,  Poppe  has  been  eager  to 
replace  the  techs’  pagers  with  handhelds 
linked  to  the  network.  But  he  didn’t  want 
to  get  locked  into  a  particular  server,  the 
cost  of  handhelds  was  prohibitive,  and 
Poppe  didn’t  have  the  $7  million  he  esti¬ 
mated  he’d  need  to  develop  the  software. 

So  it’s  no  surprise  that  Poppe  was  first 
in  line  to  pilot  eTrace,  a  mobile  work¬ 
force  management  hosted  service  from 
Gearworks.  The  eTrace  software,  which 
Roto-Rooter  launched  in  April,  was  first 
deployed  on  Nextel’s  new  GPS-  and  Java- 


Tech  nology 


Place  Holders 

Technology  Geographic 
information  systems 

Anticipated  benefit  Optimized 
routing,  location-based  trend 
analysis,  mapping  and  directions, 
site  selection  and  more. 

Hurdles  The  U.S.  military  could 
choose  to  reduce  GPS  satellite 
accuracy  for  security  reasons;  GPS 
doesn’t  work  inside  or  under¬ 
ground  without  amplification  tools. 

Primary  markets  Mobile  work¬ 
forces,  delivery  fleets,  governments. 

Cost  Varies  widely  by  application. 

Vendors 

@Road  ( www.atroad.com );  Hosted 
mobile  resource  management 
services. 

Autodesk  ( www.autodesk.com ): 
Mapping  tools  and  GIS  tools  for 
CAD  and  GIS  data. 

Environmental  Systems  Research 
Institute  ( www.esri.com ):  GIS  and 
mapping  software. 

Garmin  ( www.garmin.com ):  GPS 
handheld  receivers. 

Gearworks  ( www.gearworks.com): 
GPS  fleet  tracking,  real-time  job 
ticketing,  status  updates,  messag¬ 
ing,  directions  and  Web-based 
dispatch. 

Intergraph  ( www.intergraph.com ); 
Mapping  and  geospatial  products. 

Maplnfo  ( www.mapinfo.com ): 
Location-based  software  and 
services. 

Navigation  Technologies 

( navtech.com ):  Digital  map  data. 

Nextel  ( www.nextel.com );  GPS- 
enabled  wireless  phones  and 
Mobile  Locator  service  (scheduled 
to  launch  later  this  year). 

Pomals  ( www.pomals.com ): 

Mobile  location-based  applications. 

Tele  Atlas  ( www.teleatlas.com): 
Digital  map  data. 


116  CIO  MAY  15,  2003  •  www.cio.com 


Tivoli  software 


See  it  fixed  before  it’s  broken. 

See  the  problem  before  it  occurs. 
See  IT  and  business  goals  as  one  A 


Tivoli  Intelligent  Management  software.  It’s  here  now:  software  that  self-configures,  self-heals, 
self-optimizes  and  self-protects.  On  demand.  With  Tivoli,  on  demand  business  is  more  manageable 
than  ever.  You’ll  spend  less  time  worrying  about  mundane  tasks  and  more  time  on  important  things  — 
like  business  results.  For  a  customized  analysis  of  how  Tivoli  can  help  you,  visit  ibm.com/tivoli/seeit 


IBM,  Tivoli,  the  e-business  logo  and  e-business  on  demand  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation  in  the  United  States 
.aid/gr  other  countries.  ©2003  IBM  Corporation.  All  rights  reserved. 


Emerging  Technology  \ 


enabled  i58sr  phone  (although  Poppe  can 
upgrade  phones  since  the  software  is 
Java-based).  When  a  customer  calls,  the 
dispatcher  types  in  the  customer’s  ZIP 
code  or  address,  creating  a  map  showing 
the  job  site  in  relation  to  all  local  techs 
with  the  required  expertise.  The  dis¬ 
patcher  can  see  not  only  who’s  closest  to 
the  new  job  but  whether  each  tech  is 
available,  in  the  middle  of  a  job  or  within 
15  minutes  of  finishing,  which  helps  the 
dispatcher  choose  the  best  person  for  the 
assignment.  Techs  can  push  a  button  and 
get  turn-by-turn  driving  directions  on 
their  phones. 

A  planned  software  upgrade  will  also 
reduce  paperwork;  instead  of  handwrit¬ 
ing  invoices,  techs  will  use  software  on 


their  phones.  The  techs  (who  work  on 
commission)  will  hit  a  button  that  noti¬ 
fies  the  dispatcher  that  they’re  closing 
out  a  job  and  will  soon  be  available  for 
their  next  assignment.  Then,  they’ll 
punch  in  appropriate  charges  and  get  a 
reminder  to  offer  the  customer  drain- 
care  products.  Tax  rates  will  also  be  tied 
to  the  customer’s  GPS  location.  Techs 
will  then  beam  the  information  from 
their  phones  to  a  small  wireless  printer, 
which  will  also  let  them  swipe  credit 
cards  and  capture  customer  signatures 
electronically  (thus  qualifying  Roto- 
Rooter  for  a  lower  rate  from  credit  card 
vendors,  which  Poppe  says  will  help  pay 
for  the  project).  Poppe  expects  ROI  on 
the  project  within  a  year. 

Special  Delivery 

GIS  is  also  helping  companies  differentiate 
their  delivery  services  and  meet  demand 
for  ever-shrinking  delivery  windows. 
UltraEx,  a  West  Coast  company  that  spe¬ 
cializes  in  same-day  deliveries  (think  emer¬ 


gency  blood  supplies  and  computer  parts), 
equips  all  of  its  vehicles  with  @Road’s 
GPS  receivers  and  wireless  modems.  In  ad¬ 
dition  to  giving  dispatchers  a  big-picture 
view  of  the  entire  fleet  (and  discouraging 
drivers  from  goofing  off),  @Road  helps 
UltraEx  keep  understandably  nervous 
clients  happy  by  letting  them  track  the 
location  and  speed  of  their  shipments  on 
the  Web  in  real-time.  This  Delivery  411 
service,  which  UltraEx  codeveloped  with 
@Road,  shows  customers  a  map  of  the 
last  place  the  satellite  detected  the  deliv¬ 
ery  vehicle  and  how  fast  it  was  traveling. 

Dispatchers  can  choose  the  closest 
driver  for  each  job,  and  drivers  who  own 
their  vehicles  can’t  fudge  their  mileage 
sheets  because  @Road  reports  exact 


mileage  for  each  vehicle.  UltraEx  spends 
roughly  $2  a  day  per  vehicle  to  have 
@Road,  “but  if  the  driver  can  make  one 
more  pickup  per  day,  we’re  way  ahead,” 
says  Michael  Oakes,  vice  president  of 
business  development  at  UltraEx. 

Publix  Direct,  the  online  grocery  service 
of  Publix  Supermarkets,  uses  GIS-enabled 
logistics  software  from  Descartes  to  opti¬ 
mize  delivery  routes.  When  a  customer 
concludes  her  order,  the  software  does  on- 
the-fly  analysis  to  determine  the  most 
profitable  delivery  windows  given  the  cus¬ 
tomer’s  location,  order  size,  other  sched¬ 
uled  deliveries  in  that  zone,  and  estimates 
of  driving  and  service  times  based  on  data 
from  Navigation  Technologies.  Within  five 
to  15  seconds,  the  customer  sees  delivery¬ 
time  options  that  would  be  most  cost- 
effective  for  Publix.  Customers  choose  a 
90-minute  window,  then  get  a  confirma¬ 
tion  e-mail  giving  a  60-minute  ETA  on  the 
day  of  the  delivery.  The  software  is  so 
accurate  that  Publix  Direct  handles  more 
than  7,000  orders  a  week — and  delivers 


97  percent  of  them  on  time.  “The  econom¬ 
ics  of  delivery  are  a  make-or-break  facet 
of  this  business,”  says  Jim  Cossin,  director 
of  fulfillment  operations  for  Publix  Direct. 
“This  allows  us  to  balance  the  convenience 
factor  with  the  customer,  offering  them  as 
many  possible  windows  as  we  can,  while 
at  the  same  time  creating  economically  fea¬ 
sible  routes  in  the  background.” 

Local  Politics 

Location  is  germane  to  virtually  every  gov¬ 
ernment  function,  and  many  municipalities 
are  at  the  forefront  of  applying  GIS.  New 
York  City,  for  example,  is  famous  for  pio¬ 
neering  CompStat,  which  uses  GIS  to  map 
criminal  activity  and  police  deployment  by 
date,  time  and  location.  By  making  precinct 
commanders  accountable  for  their  policing 
strategies,  it  has  been  a  major  factor  in 
reducing  the  city’s  violent  crime  rate  by 
nearly  70  percent  in  the  past  decade,  says 
Lawrence  Knafo,  deputy  commissioner  of 
New  York  City’s  Department  of  IT  and 
Telecom  (DOllT).  In  March,  New  York 
expanded  its  use  of  GIS  to  launch  its  311 
service  to  handle  nonemergency  service 
requests.  As  the  city  consolidates  12  call 
centers  into  one,  calls  are  now  entered  into 
a  Siebel  CRM  system  that  taps  into  GIS 
databases  to  verify  callers’  addresses  and 
cross  streets  before  city  workers  are  dis¬ 
patched.  Operators  can  also  access  such 
location-based  information  as  garbage 
pickup  times  and  contact  information  for 
local  elected  officials. 

Beyond  enabling  efficient  responses  to 
service  requests,  the  system  allows  the  city 
to  aggregate — and  map,  spatially  and  tem¬ 
porally — 311  data  across  service  sectors. 
“Geocoding”  the  calls  makes  it  possible  to 
analyze  how  well  (or  poorly)  the  city  is  pro¬ 
viding  services,  helping  policy-makers 
decide  how  best  to  allocate  scarce  resources. 
Knafo  thinks  that  analysis  of  geocoded  311 
and  911  data  could  potentially  reveal  pre¬ 
viously  unnoticed  patterns  in  quality-of-life 
complaints  that  tend  to  precede  violent 
crimes.  “We  might  be  able  to  actually  stop 
crime  before  it  happens,”  he  says. 


Location  is  germane  to  virtually  every  gov¬ 
ernment  function,  and  many  municipalities 
are  at  the  forefront  of  applying  GIS. 


118  CIO  MAY  15,  2003  •  www.cio.com 


h  V 

v  V 

Hra.  1 

Iff  “v  H  . 


old  apps  combine  with 
See  customers  connect  with  partners 
See  today’s  stuff  click  with  tomorrow’ 


WebSphere,  software 


1 

e 

j 


it'i  \  £-  I  "i. 

WebSphere  Business  Integration  is  far  and  away  the  leading  integration  software  for  the  on  demand 
era.  Open  and  flexible,  WebSphere  lets  you  mojBntegrate  and  manage  all  of  your  business 
processes.  WebSphere  delivers  an  infrastructure  that  quickly  responds  to  change,  meeting  business 

i 

demands,  on  demand.  For  an  Integration  InfoKit  and  case  studies,  visit  ibm.com/websphere/seeit 


IBM,  WebSphere,  the  e-business  logo  and  e-business  on  demand  are  registered 
States  and/or  other  countries.  Certain  information  contained  within  this  adverti! 
Summary  2003."  ©2003  WinterGreen  Research,  Inc.  ©2003  IBM  Corporation.  All 


imarks  or  trademarks  of  International  Business  Machines  Corporation  in  the  United 
it  is  based  on  results  of  the  WinterGreen  Study.  “Application  Integration  Executive 
ights  reserved. 


«  $ 


Emerging  Technology 


“Combinations  of  data  from  disparate 
sources  are  usually  needed  to  solve  and 
understand  complex  problems,”  says  Alan 
Leidner,  assistant  commissioner  of  DOl  l  1 
and  director  of  the  citywide  GIS  program. 
“In  the  past,  without  the  GIS  system  and 
GIS  databases,  [the  city  had]  isolated  silos 
of  data  that  never  saw  each  other,  ever. 
That’s  really  changing  in  a  big  way.” 
Collecting  spatial  data  in  a  validated,  nor¬ 
malized  form  enables  meaningful  combi¬ 
nations  of  data.  For  example,  the  city’s 
health  department  used  GIS  to  map  cases 
of  West  Nile  virus,  evidence  of  dead  birds 
and  the  locations  of  wetlands  to  predict 
where  human  cases  would  most  likely 
show  up.  City  officials  believe  that  pre¬ 
emptive  spraying  in  those  areas  has 
reduced  the  incidence  of  the  disease. 

The  city’s  Environmental  Systems 
Research  Institute-based  emergency  man¬ 
agement  online  system  (EMOLS)  uses  GIS 
and  the  Web  to  disseminate  location- 
specific  information  during  snowstorms, 
transit  strikes  or  other  emergencies.  Cit¬ 
izens  enter  an  address  online  and  get  a 
map  showing  the  location  and  whether 
it’s  safe.  If  it’s  in  a  danger  zone,  they’ll 
receive  evacuation  instructions  or  infor¬ 
mation  on  how  to  protect  themselves.  In 
the  days  following  9/11,  citizens  used 
EMOLS  to  find  out  where  they  could 
walk  and  drive  as  well  as  the  status  of 
power,  water,  steam  and  phone  service. 

Mayor  Michael  Bloomberg’s  open  gov¬ 
ernment  initiative  also  draws  on  GIS  to  give 
citizens  Web  access  to  statistics  once  avail¬ 
able  only  in  paper  tomes  in  aggregate  form. 
Now  anyone  can  go  to  the  “My  Neigh¬ 
borhood  Statistics”  section  of  NYC.gov, 
type  in  an  address  and  see  (even  download 
for  analysis)  local  stats  on  many  items, 
including  noise  complaints,  student  atten¬ 
dance  and  murder  rates. 

“Everything  in  government  is  geo¬ 
graphic,”  says  Knafo.  “[GIS]  is  becoming 
the  basis  of  how  we  proactively  govern.”  ■ 


Senior  Editor  Alice  Dragoon  can  be  reached  at 
adragoon@cio.com. 


UNDER  DEVELOPMENT 

Fiber  optics 

Looking-Glass  Fiber 

DON'T  LOOK  NOW,  but  a  new  low-loss  optical  fiber— featuring  a  mirrored  core— can 
conduct  an  intense  stream  of  laser  light  that  would  melt  an  ordinary  fiber. 

The  photonic  bandgap  fiber  is  based  on  nonmetallic  “dielectric  mirror”  technology 
developed  by  Yoel  Fink,  an  MIT  assistant  professor  of  material  science  and  engineering 
(for  other  Fink  research,  see  “It  Reflects  Well  on  You”  at  www.cio.com/printlinks ).  The 
fiber  contains  a  hollow  core  surrounded  by  a  highly  confining  reflective  surface. 

To  create  the  fiber,  Fink  and  his  researchers  used  a  pair  of  materials— arsenic  trise- 
lenide  and  polyethersulfone— that  have  very  different  optical  properties  yet  soften  at 
the  same  temperature.  The  materials  are  layered  in  alternating  thicknesses  and  then  are 
fed  into  a  furnace  and  drawn  into  a  fiber.  When  stretched,  the  layers  reduce  in  thickness 
to  micrometer  dimensions  and  create  a  mirror  that  confines  light  to  the  hollow  core. 

"For  the  first  time,  we’re  able  to  make  a  fiber  that  has  lower  losses  than  the  material  it’s 
made  of,"  says  Fink. 

Besides  providing  the  foundation  for  longer  distance  optical  transmission  media,  the 
fiber  also  has  several  potential  industrial  and  medical  applications.  On  the  factory  floor, 
more  powerful  laser  tools  would  allow  workers  to  quickly  and  efficiently  cut  through 
metal.  Surgeons,  on  the  other  hand,  could  use  the  technology  to  vaporize  dense  biologi¬ 
cal  objects,  such  as  kidney  stones,  that  are  impervious  to  existing  laser  tools.  Since  the 
research  was  partially  funded  by  the  Defense  Advanced  Research  Projects  Agency,  it’s 
also  likely  that  the  military  is  thinking  about  using  the  fiber  to  shoot  high-energy  laser 
bursts  at  enemy  assets. 

Fink  says  he’s  already  heard  from  several  companies  that  are  interested  in  using  the 
technology.  “We’re  working  hard  at  trying  to  commercialize  it,"  he  notes.  "There  are 
probably  some  roadblocks  ahead,  since  we're  working  with  previously  untried  materials, 
but  we  haven’t  found  any  yet.” 

-John  Edwards 


120  CIO  MAY  15,  2003  •  www.cio.com 


To  discover 
the  whereabouts 
of  important 
information. 
Penny  had  to 
search  high 
and  low 


The  solution  was 
elementary. 


°^er 


Thanks  to  LEGATO,  she  can  do  her  real  job. 


If  the  information  you  need  isn’t  at  hand,  it  can  take  hours  to  find. 
LEGATO’s  ApplicationXtender®  suite  captures  and  organizes  all  your  data 
into  a  single  repository-  and  provides  immediate  access  to  it.  So  you  can 
spend  your  time  using  information,  not  searching  for  it.  Problem  Solved. 

For  more  information,  visitwww.legato.com  or  call  1-888-853-4286. 


H  LEGATO 


LEGATO,  the  LEGATO  logo  and  ApplicationXtender  are  registered  trademarks  of  LEGATO  Systems,  Inc. 


-j  Emerging  Technology 


New  products  and  current  trends  are  making  real-time  a  reality 

BY  CHRISTOPHER  LINDQUIST 


TECH  TACT 
Real-time  apps 

Real  Timing 


REAL-TIME,  RIGHT  TIME,  whatever  you 
want  to  call  it,  dozens  of  vendors  are  lin¬ 
ing  up  to  give  your  company  information 
“at  the  moment  you  need  it.” 

In  the  early  days  of  the  phrase,  “real¬ 
time”  often  meant  little  more  than  “I’m 
going  to  query  your  data  source  repeat¬ 
edly  and  often  to  make  sure  I  don’t  miss 
anything — system  resources  be  damned!” 
Needless  to  say,  this  technique  didn’t 
make  many  friends  in  the  IT  community. 

Even  today  this  continuous  querying  is 
often  what  you’ll  get  if  you  ask  for  real¬ 
time  information  access.  But  a  change  is 
happening.  Events,  messaging,  publish/ 
subscribe,  Web  services — these  are  the 
terms  that  will  dominate  the  conversations 
around  real-time  in  the  coming  months. 
Now,  instead  of  dealing  with  reporting 
apps  that  constantly  tap  their  data  sources 
on  the  shoulder,  hoping  by  serendipity  to 
snag  a  snapshot  just  when  something 
important  happens,  the  data  sources  them¬ 
selves  (or  the  middleware  that  connects 
them  to  everything  else)  will  note  impor¬ 
tant  events  and  automatically  inform  the 
relevant  reporting  and  monitoring  apps. 
Will  it  be  split-second  response  times  in 
every  case?  No.  But  unless  you’re  on  a 
trading  floor,  a  wait  of  a  few  minutes  isn’t 
likely  to  cause  any  pain. 

“I  think  ‘right  time’  is  the  right  solu¬ 
tion,  but  as  you  look  at  advances  in  tech¬ 
nology  over  time,  I  think  real-time  will 
become  right  time,”  says  David  Gillhouse, 
vice  president  for  information  technology 
at  garage  door  opener  manufacturer  The 
Chamberlain  Group.  The  company  cur¬ 
rently  uses  real-time  synchronization  soft¬ 
ware  from  DataMirror  to  guarantee  that 


Unless  you’re  on  a 
trading  floor,  a  wait 
of  a  few  minutes 
isn’t  likely  to  cause 
any  pain. 

-Christopher  Lindquist 

data  center  “hot  sites”  in  Illinois  and 
another  in  Mexico  are  always  up-to-date. 

And  DataMirror  is  far  from  the  only 
player  in  the  real-time  space.  In  February, 
Sonic  Software  launched  Release  5.0  of 
its  SonicMQ  enterprise  messaging  infra¬ 
structure.  On  the  reporting  front,  Infor- 
matica  unveiled  PowerAnalyzer  4  in 
March.  Prior  to  this  release,  Informatica 
fell  squarely  in  the  “query,  query  and 
query  again”  school  of  real-time.  But  ver¬ 
sion  4  lets  users  take  advantage  of  Java 


Messaging  Services  to  create  a  truly  event- 
driven  data  flow,  in  addition  to  the  com¬ 
pany’s  more  traditional  tools. 

There  are  also  several  upstarts.  On 
the  smaller  side,  KnowNow  released 
LiveSheet  for  Excel,  which  lets  users  con¬ 
nect  and  constantly  sync  Excel  spread¬ 
sheets — no  need  to  worry  about  who  has 
the  most  recent  data. 

Startup  Iteration  Software,  meanwhile, 
has  bigger  dreams.  Its  founder,  Ken  Gard¬ 
ner,  envisions  a  “streaming  information 
model”  where  data  constantly  flows  to 
reporting  apps  (like  his)  that  can  take  what 
they  need,  when  they  need  it.  Want  to  see 
exactly  how  many  sales  each  employee  in 
your  call  center  is  generating  on  a  moment- 
by-moment  basis?  Iteration’s  Real-time 
Reporting  Suite  (in  conjunction  with  the 
properly  message-enabled  applications  or 
middleware)  can  tell  you. 

But  it  may  be  a  long  while — if  ever — 
before  such  real-time  reporting  dominates. 
“We  look  at  it  as  a  supplemental  tool  to 
our  data  mart,”  says  Thomas  Adler,  man¬ 
ager  of  customer  data  and  integration  at 
the  California  State  Automobile  Associa¬ 
tion  (CSAA),  which  is  evaluating  Itera¬ 
tion’s  suite.  “A  lot  of  the  reporting  that  we 
do  on  regular  [time]  increments  is  going 
to  be  fine.”  But  if  all  goes  well,  the  Itera¬ 
tion  application  will  bridge  an  information 
gap,  allowing  CSAA  to  quickly  route  time- 
critical  information  to  those  who  need  it  in 
minutes — not  days. 

Of  course,  this  does  raise  a  big  ques¬ 
tion:  Where  is  all  this  real-time  data  access 
headed?  A  control  panel  full  of  dials  show¬ 
ing  the  average  words  per  minute  of  typists 
in  an  enterprise?  The  average  number  of 
syllables  per  closing  for  each  salesperson? 
Ridiculous?  Of  course.  But  considering 
that  not  many  years  ago  a  request  such  as 
“I  need  that  worldwide  sales  summary  by 
next  week”  used  to  give  IT  folks  the  gig¬ 
gles,  isn’t  it  interesting  to  be  so  close  to  the 
other  end  of  absurd?  BE] 


Christopher  Lindquist  ( clindquist@cio.com )  is 
CIO's  technology  editor. 


122  CIO  MAY  15,  2003  •  www.cio.com 


PHOTO  BY  EDWARD  CALDWELL 


You  ve  Picked 

a  Winner! 


mm 


. 


CIO  magazine  is  the  proud  recipient  of  the 
prestigious  2003  Grand  Neal  Award— the 
top  editorial  honor  granted  to  one  publica¬ 
tion  from  more  than  1,000  entries  across 
all  categories  and  circulation  sizes.  CIO 
also  won  Neal  Awards  for  “Best  How  To” 
for  the  2002/2003  Year-End  Issue  and 
“Best  Article”  for  “Microsoft’s  New  Sub¬ 
scription  Plan:  CIOs  Just  Say  No.” 


The  Neal  Award  judges  aren’t  the  only  ones 
who  prefer  CIO  magazine.  CIOs  choose  CIO 
as  the  one  publication  they  rely  on  for  in¬ 
sight  and  strategies  for  managing  IT.* 


NOW  THAT’S  WHAT  WE  CALL  AN  AWARD! 


The  Resource 
for  Information 
Executives 


Often  hailed  for  its  preeminence 
as  the  “Pulitzer  Prize  of  the  business 
press,”  the  Neal  Award  is  the 
business  publishing  industry’s 
annual  salute  to  individual  editors 
for  outstanding  editorial  excellence. 


*SOURCE:  CIO  READER  PROFILE  STUDY, 
MRI.  AUGUST  2002 


SYMPOSIUM  AND  AWARDS  CEREMONY 


AUGUST  17-19,  2003  •  THE  BROADMOOR  •  COLORADO  SPRINGS,  CO 


Leadership  and  Innovation  for 

What  Works  Now 


Winning  Ideas 

Our  CIO  100  Award  Winners  dis¬ 
cuss  how  they  deal  with  staff 
morale  and  retention  issues,  how 
they  foster  a  culture  of  resource¬ 
fulness,  and  how  they  build  better 
business  cases  to  gain  manage¬ 
ment  support. 

“One  of  the  most  organized  and  sub¬ 
stantive  conferences  that  I’ve 
attended  in  many  years.  Excellent 
networking  opportunities  as  well. " 

—Joseph  J.  Smith,  Vice  President  of 
Private  Programs  &  CIO,  Arkansas 
Blue  Cross  and  Blue  Shield 


Presented  by 


The  Resource  for 
Information  Executives 


Solid  Peer  Advice 

Small  working  groups  of  CIOs 
explore  the  challenges  and  best 
practices  of  specific,  critical 
IT/business  topics  in  our 
Executive  Mindshare  sessions. 
Share  experiences,  lessons 
learned,  mistakes  and  new  ideas 
for  tackling  common  problems. 
Get  solid  ideas  to  make  your  orga¬ 
nization  more  resourceful. 

“With  the  intensity  of  day-to-day 
business  in  the  IT  world,  this  pro¬ 
vided  a  refreshing  perspective  on 
the  current  state  and  the  future 
direction  for  CIO  visionaries  and 
actionaries. " 

—John  C.  Carrow,  Vice  President  & 
CIO,  Unisys  Corp. 


The  Best  Networking 

We  give  you  more  opportunities  to 
meet  with  your  peers:  the  Sunday 
CIO  golf  tournament,  the  network¬ 
ing  receptions  every  day,  break¬ 
fast  and  lunch  roundtables  and 
evening  hospitalities.  We  help  you 
make  the  connections  to  make  the 
most  of  your  time  while  you’re 
with  us. 

" The  CIO  100  Symposium  offers  an 
opportunity  to  network  with  peers 
unmatched  by  any  other  I've 
attended.  It  will  be  on  my  ‘must 
attend’  list  in  the  future. " 

—Jim  Burdiss,  Vice  President  &  CIO, 
Smurfit-Stone  Container  Corp. 


This  year’s  CIO  100  Awards 
Ceremony  is  proudly  underwritten  by 


PeopleSoft 


To  enroll,  call  800  355-0246  or  visit  our  Web  site  at  www.cio.com/conferences 


The  Resourceful  Enterprise 

Organizations  that  figure  out  howto  generate  greater  value  with  more  limited  IT  resources  thrive 
whatever  the  state  of  the  economy.  They  demonstrate  leadership,  innovation— and  resourceful¬ 
ness.  This  year,  CIO  magazine  honors  100  organizations  that  have  successfully  done  more  with 
less.  And,  we  continue  our  tradition  of  looking  toward  the  future  by  bringing  together  major 
thought-leaders  to  share  where  they  believe  business,  industry  and  technology  are  heading. 


Paul  Saffo 

Director  of  The  Institute  for 
the  Future,  joins  us  again  as 
Symposium  moderator,  and 
talks  about  why  he  thinks 
we  are  poised  on  the  verge 
of  an  onslaught  of  techno¬ 
logical  innovation  that  will 
affect  every  corner  of  busi¬ 
ness  and  society  in  the 
decades  ahead— even 
thought  at  first  glance,  this 
coming  wave  seems  to  defy 
anticipation,  much  less 
meaningful  assessment  of 
its  likely  impacts. 


W.  Brian  Arthur 

Citibank  Professor  of  the 
Sante  Fe  Institute,  shares 
his  views  on  how  IT  is  being 
reinterpreted  by  old,  tradi¬ 
tional  industries— resulting 
in  completely  new  sub¬ 
industries  such  as 
genomics,  proteomics, 
financial  engineering,  smart 
pharmaceuticals,  nanotech¬ 
nology,  and  the  like.  They 
are  being  born  out  of  IT,  and 
will  change  our  lives  and  our 
businesses. 


Howard  Rheingold 

Futurist  and  Guru  of  Digital 
Culture,  gives  us  his  obser¬ 
vations  on  the  societal 
impact  of  the  “smart  mob” 
phenomenon.  They  are  able 
to  harness  the  combination 
of  mobile  communications, 
the  Internet  and  pervasive 
computing  to  enable  people 
to  interact  and  cooperate  in 
ways  never  before  possible. 
We’ve  already  seen  the 
changes  in  the  way  people 
meet,  mate,  work,  war,  buy, 
sell,  govern  and  create. 


Abbie  Lundberg 

Editor  in  Chief,  CIO  Maga¬ 
zine,  hosts  a  panel  of  award¬ 
winning  CIOs  sharing  how 
they  are  Leading  in  an  Age 
of  Extraordinary  Challenge. 
How  have  they  been  able  to 
anticipate  the  impact  on 
their  organizations  of  the 
economic  and  political 
events  of  the  past  two 
years?  How  have  they 
stepped  up  to  the  many 
challenges  brought  about 
by  new  technologies? 


Sponsored  by 

A9CIOM 

APC 


Assuring  Business  Availability" 


o. 

(  equant  net© 

■  Work  Smarter. 


FujiTSU 


StAVVIS 


Legendary  Reliability' 


l Hr  Nr  7i/vopk  that  Fcm  pc,  Wai  i  Sintr  r* 


Sales  and  Services 

CIO  SALES  OFFICES 

President  Walter  Manninen 
Publisher  GaryJ.  Beach  •  508  935-4202 

Executive  VP  Sales/Custom  Publishing 

Ellen  Romanow  •  508  935-4796 

East  Coast 

Senior  VP  Sales/East 

Michael  J.  Masters  •  973  244-4040 
Senior  Regional  Mgr. 

Kathy  Powers  •  973  244-4041 
Regional  Sales  Manager 
Ellie  Schwab  •  973  244-4042 
Account  Executive 
Joan  Bonadeo  •  973  244-4043 
Advertising  Sales  Associates 
Rhonda  Goodman  •  973  244-4033 
Sharon  Patrick  •  973  244-4044 
Fax  •  973  227-1565 

New  England 

Senior  Regional  Manager/Advertising  Sales 

Len  Ganz  •  508  935-4039 

Senior  Advertising  Sales  Associate 

Dawn  Cora  •  508  935-4092 
Fax  •  508  879-6063 

Mid-Atlantic 

Senior  Regional  Manager/ Advertising  Sales 

Louise  Cupelli  •  215  627-8117 
Account  Executive 

Maureen  Welsh  •  215  928-9151 


Advertising  Sales  Associate 

Meredith  Hagan  •  215  627-8114 
Fax  •  215  627-8224 

South  Central 

Regional  Director/ Advertising  Sales 

Robert  E.  Sawdon  •  512  306-9801 
Senior  Advertising  Sales  Associate 

Brenda  Garza  •  512  306-9801 
Fax  •  512  306-9805 

North  Central 

Regional  Sales  Manager 

Christopher  Nolan  •  847  441-3143 
District  Sales  Manager 
Beth  DeVillez  -  847  441-3140 
Advertising  Sales  Associate 

Kim  Giovanni  *  847  441-5005 
Fax  •  847  441-5150 

West  Coast 

VP  Sales/West 

Cheri  Parr  •  415  975-2685 

Senior  Regional  Manager/ Advertising  Sales 

Jane  Evans  •  415  975-2680 

Regional  Manager/Advertising  Sales 

Ai  Collins -415  975-2686 
Account  Executives 

Derek  Jung  *415  975-2683 
Tom  Ocampo  •  415  975-2693 
Fax  •  415  543-2358 

Southern  California 

District  Sales  Manager 

Chris  Bramel  •  949  475-5579 


Account  Executive 

Issac  Ugay  •  949  475-5579 
Fax -949475-5583 

LIST  SERVICES 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 

Stephanie  Roy  •  508  935-4151 

List  Services  Coordinator 

Kim  Cormican  •  508  935-4152 

ONLINE  SERVICES 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 

Online  Sales  Manager 

Michael  McPhee  •  508  935-4611 

CUSTOM  PUBLISHING 

Group  Director  -  Michael  Siggins 
Director  •  Mary  Gregory 
Director  of  Content  Development  •  Tom  Field 
Project  Manager  •  Amy  Greenleaf 
Graphic  Designer  •  Chris  Brown 

REPRINT  SERVICES 

For  article  reprints,  please  contact 
Reprint  Services  at  651 582-3800  or 
e-mail  cioreprints@reprintservices.com. 

For  further  sales  information,  visit 
www.cio.com/marketing/salesoffices.html. 


Index  of  Companies  and  Advertisers 

Page  numbers  refer  to  the  first  page  of  the  article(s)  in  which 
the  company  has  a  substantial  mention.  This  index  is  provided 
as  a  service  to  readers.  The  publisher  does  not  assume  any 
liability  for  errors  or  omissions. 


COMPANY  INDEX 


Agile  Software  Corp . 92 

AMR  Research  Inc . 92 

Application  Security  Inc . 60 

Arch  Chemicals  Inc . 60 

Baan . 92 

BearingPoint  Inc . 70, 104 

BellSouth  Corp . 70 

Blue  Cross  and  Blue  Shield  of 
Minnesota . 79 

Cap  Gemini  Ernst  &  Young  ...  70 

Caterpillar  Inc . 104 

Cenzic  Inc . 60 

Chamberlain  Group  Inc.,  The  .  114 

Cigna  Corp . 79 

CUNA  Mutual  Group  . 60 

CVS  Corp . 84 

Dassault  Systemes  SA  . 92 

Data  Mirror  Corp . 114 

DuPont  . 70 

eBay  Inc . 84 

Eigner . 92 

Electronic  Data  Systems  Corp.  92 

Flextronics  Corp . 92 

Ford  Motor  Co . 84,  92, 104 

Forrester  Research  Inc . 60 

Foundstone  Inc . 60 


Framework  Technologies  Corp.  92 


General  Electric  Co . 92 

Hackett  Group,  The  . 70 

Hamilton  Sundstrand  Corp.  . .  92 

Hewlett-Packard  Co . 50 

IBM  Corp . 84,  92 

IndyMac  Bancorp  Inc . 60 

Informatica  Corp . 114 

Iteration  Software  Inc . 114 

Johnson  Controls  Inc . 92 

Kavado  Inc . 60 

KnowNow  Inc . 114 

Lear  Corp . 92 

Lee  and  Fung  . 84 

MatrixOne  Inc . 92 

Mattel  Inc . 70 

Meta  Group  Inc . 28 

Microsoft  Corp . 60,  84 

Net  IQ  Corp . 60 

Northwest  Airlines  Corp . 79 

Oracle  Corp . 28,  92 

Ovum  Inc . 28 

PeopleSoft  Inc . 92 

Polaroid  Corp . 84 

Printrak . 28 

Procter  &  Gamble 
Co.,  The . 28,  92, 104 

Publix  Direct  LLC . 114 


Roto-Rooter  Inc . 114 

Sanctum  Inc . 60 

SAP  AG . 92 

Sola  International  Inc . 70 

Solectron  Corp . 70 

Sonic  Software  Corp . 114 

Sophos  PLC  . 60 

SPI  Dynamics  Inc . 60 

Stellent  Inc . 28 

UltraEx  Inc . 114 

Viisage  Inc . 28 

Walgreen  Co . 84 

Wal-Mart  Stores  Inc . 84 

Watch  Fire  Corp . 60 

Yahoo  Inc . 84 

ADVERTISER  INDEX 

3COM  Corp . 99 

Actuate  Corp . C3 

Advanced  Micro  Devices . 47 

Aladdin  Knowledge  Systems 
Ltd . 41 

American  Power  Conversion  . .  97 

Anixter  . 39 

Bear  Wagner  Specialist  LLC  .  .  11 

Business  Objects  . 8 

Canon  . 21 

Cisco  Systems  Inc . 34 

Computer  Associates 

Inti.  Inc . C4,  7 

CXO  Media  Inc.  .  33,  83, 108, 123, 
124, 127 

DataMirror  Corp . 37 

Dell  Computer  Corp.  .  .  58,  90,  91 
Enterasys  Networks . 57 


Fujitsu  PC  Corp . 73 

IBM  Corp.  . .  C2, 113, 115, 117, 119 

J.D.  Edwards  . 17 

Keynote  Systems  Inc . 31 

Kronos  Inc . 29 

LEGATO  Systems  Inc . 121 

MCI . 42 

Mercury  Interactive  .  101,  103,  105 

Microsoft  Corp . 4, 18,  48 

NetlQ  Corp . 81 

Nortel  Networks . Ill 

Novell  Inc . 67 

OKI  . 77 

Oracle  Corp . 15 

Qualcomm  . 2 

Quantum  DLTTape  . 45 

Qwest  Communications 

Inti.  Inc . 63 

Remedy,  a  BMC  Software 
company . 53 

SAS . 55 

SeeBeyond  Technology  Corp.  .  26 

Sony  Electronics  Inc . 25 

StorageTek . 107 

Sun  Microsystems  Inc . 12 

Sungard  Availability  Services 
(regional)  . 83 

TIBCO  Software  Inc . 22 

VBrick  Systems  Inc . .  78 

Veritas  . 69 

Verizon  . 89 

WebEx  Communications  Inc.  .  87 
Wily  Technology  Inc . 51 


CIO  IS  PUBLISHED  IN  THE 
UNITED  STATES  AS  WELL  AS  IN: 

Australia,  CIO  Australia  www.idg.com.au 
Canada,  CIO  Canada  www.lti.on.ca/cio 
China,  CEO  &  CIO  China 
www.ceocio.com.cn 
Germany,  CIO  Germany  www.cio.de 
India,  CIO  India  91-80-521-0309/12 
Japan,  CIO  Japan  www.idg.co.jp 
Korea,  CIO  Korea  www.cio.seoul.kr 
New  Zealand,  CIO  New  Zealand 
www.idg.co.nz 

Poland,  CXO  Poland  www.cxo.pl 
Singapore,  CIO  ACEN/Hong-Kong 
www.idg.com.sg 

Sweden,  CIO  Sweden  www.cio.idg.se 

CIO  Contact 
Information 

Editorial,  Advertising  and  Business 
Offices:  492  Old  Connecticut  Path, 

P.O.  Box  9208,  Framingham,  MA 
01701-9208,  508  872-0080. 

CIO  (ISSN  0894-9301)  is  published 
semimonthly  and  as  a  combined  issue 
December  15/January  1  by  CXO  Media 
Inc.,  492  Old  Connecticut  Path,  P.O. 

Box  9208,  Framingham,  MA  01701- 
9208.  Periodicals  postage  paid  at 
Framingham,  MA,  and  at  additional 
mailing  offices.  Canada  Publications 
Mail  Agreement  Number  1902075. 
CANADIAN  POSTMASTER:  Please 
return  undeliverable  copy  to  P.O.  Box 
1632,  Windsor,  ON  N9A  7C9. 

Permissions:  Copyright  2003  by 
CXO  Media  Inc.  All  rights  reserved. 
Reproduction  of  material  appearing 
in  CIO  is  forbidden  without  written 
permission.  Send  all  requests  to 
Permissions  Department,  CIO,  492 
Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208. 

Photocopy  Rights:  Permission  to 
photocopy  for  internal  or  personal 
use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CIO  for 
users  through  the  Copyright  Clear¬ 
ance  Center,  provided  that  the  base 
fee  of  $3  per  copy  of  the  article,  plus 
$.50  per  page  is  paid  directly  to 
Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970. 
Please  specify:  ISSN  0894-9301. 
Permission  to  photocopy  does  not 
extend  to  contributed  articles 
followed  by  this  symbol:  J. 

Subscriptions:  Address  inquiries  to 
CIO,  P.O.  Box  489,  Northbrook,  IL 
60065-0489;  866  354-1125.  CIO  is 
free  to  qualified  information  execu¬ 
tives.  To  all  others  the  one-year  basic 
rate  is  $150  for  the  United  States  and 
Canada,  $195  to  foreign  countries 
(payable  in  U.S.  funds  only).  The 
single  copy  price  is  $9.  Please  allow 
four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address:  Please  go  to 
www.omeda.com/custsrv/cio  and 
follow  the  online  instructions. 

Postmaster:  Send  change  of  address 
to  CIO,  P.O.  Box  489,  Northbrook,  IL 
60065-9816.  Printed  in  the  U.S.A. 


12  6  CIO  MAY  15,  2003 


www.cto.com 


CIO  ENTERPRISE 

VALUE  AWARDS' 


The  Resource  for 
Information  Executives 


As  an  executive  who  has  built  or  utilized  an  IT  system  that 
delivers  both  demonstrable  ROI  and  strategic  value  to  your 
organization,  you  deserve  recognition  and  praise. 

Now  in  its  12th  year,  the  CIO  Enterprise  Value  Award  will 
bring  you,  your  company  and  your  IT  organization  the 
industry  prestige  you  deserve. 


Download  the  application 
from  our  website  at 
www.  c/o.  com/eva 
or  contact  Lynne  Rigolini 
at  (508)  935-4088. 

Deadline  for  entry: 

May  30,  2003 


EXECUTIVE 


May  15,  2003 


COVER  STORY 
Software  Security 

By  Scott  Berinato  I  60 

The  seemingly  intractable  problem  of 
software  security  vulnerability  isn’t, 
as  it  turns  out,  all  that  intractable. 
The  tools  and  strategies  to  prevent  another 
Slammer  worm  are  available,  waiting  to  be 
used,  making  it  inexcusable  for  CIOs  to 
blame  vendors  for  the  problem.  A  new  class 
of  application  scanning  software  makes  it 
much  easier  to  find  the  code  defects  that  cre¬ 
ate  security  holes,  allowing  CIOs  to  build 
security  scanning  into  the  software  develop¬ 
ment  and  procurement  audit  processes. 
There  should  be  a  checkpoint  at  which  an 
application  must  contain  fewer  than  a  cer¬ 
tain  number  of  bugs,  with  all  egregious 
errors  eliminated.  Other  steps  CIOs  are  tak¬ 
ing  include  training  and  rewarding  develop¬ 
ers  in  secure  coding,  championing  a  quality 
assurance  and  security  developer  mentor 
program,  holding  software  vendors  and 
developers  accountable  to  written  security 
standards,  and  using  the  legal  department  to 
write  security-conscious  software  contracts. 


“All  a  CIO  has  to  say  is, 
We  won’t  accept  this 
level  of  quality,  and  the 
vendors  have  to  respond. 
Many  CIOs  are  saying, 
We’ll  buy  one  copy  of 
your  software  and  run 
some  security  scans  on 
it  before  we  invest.” 

-LAURIE  ORLOV,  ANALYST, 
FORRESTER  RESEARCH 


Sarbanes-Oxley  Compliance  ByBenWorthen  I  70 

MOST  EXECUTIVES  VIEW  COMPLIANCE  with  Sarbanes-Oxley  as  a  finance  issue,  not  a  sys¬ 
tems  issue.  But  this  view  ignores  the  fact  that  IT  systems  generate,  support,  house  and  transport  the 
financial  information  whose  accuracy  CEOs  are  now  personally  accountable  for.  It’s  the  CIO  who 
must  build  the  controls  that  will  ensure  data  stands  up  to  audit  scrutiny.  CIOs  now  working  on  Sar¬ 
banes-Oxley  compliance,  including  those  at  BellSouth,  Mattel  and  Solectron,  suggest  mapping  controls 
onto  basic  financial  systems.  Account  and  inventory  management  processes  and  purchasing  systems 
must  have  a  contract  management  function.  Information  from  all  systems  has  to  be  reconciled,  either 
by  integration  or  a  shared  data  model.  The  controls  even  extend  to  IT  staff  deployment.  Companies 
must  assign  different  employees  to  code  program  changes,  test  the  changes  and  then  move  the  changes 
into  production — a  different  person  performing  each  task  helps  prevent  errors  and  fraud. 


Case  Files:  Blue  Cross  Self-Service  System  By  Meridith  Levinson  I  79 

BLUE  CROSS  AND  BLUE  SHIELD  OF  MINNESOTA’S  new  Web-based  customer  self-serv¬ 
ice  system  has  led  to  a  10  percent  growth  in  customer  base  and  attracted  major  clients  away  from 
competitors.  The  system’s  critical  success  factor  was  linking  back-end  and  front-end  systems  and  data 
migration.  Customer  data  stored  in  databases  needed  to  move  to  the  Web  front  end,  where  it  had  to 
be  reformatted  to  make  sense  to  consumers.  A  data  dictionary  for  all  the  specialized  coverage  codes 
matched  each  to  equivalent  English  terms.  ZIP  codes,  compressed  to  save  money,  were  modified  so 
that  consumers  wouldn’t  be  perplexed  by  the  shorthand.  BCBS  then  invited  prototype  testing.  Case 
analyst  Wendy  S.  Close  says  the  attention  to  data  migration  and  reformatting  with  the  consumer  in 
mind  were  two  of  several  best  practices  BCBS  used. 


Product  Lifecycle  Management  By  Beth  stackpote  I  92 

THE  PROMISE  OF  PRODUCT  LIFECYCLE  MANAGEMENT  (PLM)  is  to  seamlessly  flow 
all  of  the  information  produced  throughout  a  product’s  life  cycle  to  everyone  in  an  organization.  PLM 
is  not  so  much  a  system  as  a  strategy — for  integrating  and  sharing  information  about  products  between 
applications  and  among  different  constituencies,  such  as  engineering,  purchasing,  manufacturing, 
marketing  and  aftermarket  support.  For  PLM  to  bear  fruit,  CIOs  must  be  proactive  and  not  leave 
deployment  to  the  engineering  department,  where  such  initiatives  generally  originate.  CIOs  at  Lear 
and  GE  Industrial  Systems  are  selling  the  PLM  concept  to  business  leaders,  shaping  an  enterprisewide 
strategy,  targeting  areas  ripest  for  payback  and  setting  data  standards.  Hamilton  Sundstrand  has  used 
PLM  to  develop  more  interchangeable  parts  and  reduce  engineering  change  orders  by  15  percent. 


Emerging  Technology: 

GIS  Workforce  Management  By  Alice  Dragoon  I  114 

NOW  THAT  IT’S  BECOMING  FEASIBLE  for  companies  to  equip  their  employees  with  GPS- 
enabled  phones,  workers  in  the  field  are  becoming  “human  cursors.”  When  a  customer  calls  Roto- 
Rooter  with  a  plumbing  emergency,  the  dispatcher  types  in  the  customer’s  ZIP  code  or  address, 
creating  a  map  showing  the  job  site  in  relation  to  all  local  techs  with  the  required  expertise.  The  dis¬ 
patcher  can  see  not  only  who’s  closest  to  the  new  job,  but  who’s  available,  in  the  middle  of  a  job  or 
within  1 5  minutes  of  finishing.  This  helps  the  dispatcher  choose  the  best  person  for  the  assignment 
with  minimum  drive  time.  GIS-based  workforce  management  is  big  in  government.  New  York  City 
pioneered  CompStat — it  uses  GIS  to  map  criminal  activity  and  police  deployment  by  date,  time 
and  location — which  the  city  credits  for  helping  reduce  the  violent  crime  rate  by  70  percent. 


12  8  CIO  MAY  15,  2003 


www.cio.com 


Does  the  scalability  of  your 

Bl  TOOLS  STACK  UP? 


CALL  ACTUATE. 


Training  all  your  customers 

WOULD  COST  MILLIONS. 


Information  accessible  only 

TO  TRAINED  POWER  USERS. 


It’s  time  to  fold  your 

HAND  AND  RUN. 


V 

V*SjC***/‘ 


4^  ACTUATE 


Enable  your  IT  Department  to  build  scalable  Information  Applications  that  give 
ALL  users  access  to  the  right  data  —  in  a  form  they  can  act  on  right  away. 

Empower  your  entire  organization  with  a  solid  foundation  for  delivering  information: 
Actuated  Information  Application  Platform.  Using  Actuate  7,  your  IT  team  can  build 
dashboards,  enterprise  reporting  and  other  information  applications  that  bring 
information  access  and  analysis  to  100%  of  your  organization.  All  in  forms  they  can 
use  to  take  the  right  action  —  like  Excel,  PDFs,  Web  pages  and  more.  And  unlike 
business  intelligence  tools,  Actuate  7  empowers  everyone,  not  just  power  users, 
and  offers  the  lowest  TCO.  So  contact  Actuate  today  and  start  building  information 
applications  that  let  you  tower  above  the  competition:  1-800-914-2259. 

www.actuate.com/empower 


©  2003  Actuate  Corporation.  All  rights  reserved.  Actuate  is  a  registered  trademark  of  Actuate  Corporation. 


> 


Your  business. 
Your  needs. 

Your  choice. 


It's  high  time  someone  in  the  software  industry  started  listening  to  your  needs.  And  standing  up  for  your 
rights.  Like  the  right  to  have  month-to-month  licensing.  And  the  right  to  no  upfront  payments.  That's  why 
we  offer  FlexSelect  LicensingSM  to  all  our  customers.  This  revolutionary  approach  to  licensing  is  based  on 
doing  business  on  your  terms,  not  ours.  So  you  can  have  just  the  software  you  need,  just  when  you  need 
it.  Check  it  out  today.  And  find  out  how  FlexSelect  Licensing  is  raising  more  than  just  eyebrows  in  the 
software  industry.  It's  raising  standards.  ca.com/flexselect 


Introducing  FlexSelect  LicensingSM 


Computer  Associates® 


2003  Computer  Associates  International.  Inc.  (CA).  All  rights  reserved. 


